https://community.cisco.com/t5/network-security/icmp-list/m-p/1505279#M599343 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>ICMP traffic to the firewall is not controlled using access-lists. Instead you will have to use the "icmp" command details of which can be found below:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1685750">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1685750</A></P><P></P><P>For example, if you would like to allow the subnet 192.168.100.0/24 to ping the "inside" interface of the firewall, the command would be</P><P></P><P>icmp permit 192.168.100.0 255.255.255.0 inside</P><P></P><P>Hope that clears things out!!</P><P></P><P>Cheers,</P><P>Prapanch</P></BODY></HTML> Thu, 04 Nov 2010 03:14:21 GMT praprama 2010-11-04T03:14:21Z https://community.cisco.com/t5/network-security/icmp-list/m-p/1505276#M599340 <P>i have an acl which is :</P><P>access-list local_inside extended permit icmp 192.168.100.0 255.255.255.0 any log alerts interval 400</P><P></P><P>1. if it says only icmp protocol to any, does it cover icmp echo &amp; echo-reply both?</P><P>2. does interval 400 indicate a period of 400 secs after which the next hit for the same list will be shown. existing flow using the present session till the time interval?</P><P>3. since destination is any here, will it register icmp from source to interface ip of the firewall itself, if ping be tried to those interfaces or will it only have flow through the firewall?</P><P></P><P>TIA.</P> Mon, 11 Mar 2019 19:03:54 GMT https://community.cisco.com/t5/network-security/icmp-list/m-p/1505276#M599340 suthomas1 2019-03-11T19:03:54Z https://community.cisco.com/t5/network-security/icmp-list/m-p/1505277#M599341 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>1. it covers both icmp echo and reply.</P><P>2.interval specifies the log interval at which to generate system log message 106100. Valid values are from 1 to 600 seconds. The default is 300.</P><P>3. Access-list will register the the pings which flow through the firewall and not to the interface of the firewall.</P><P></P><P>Hope the above answers your question.</P><P></P><P>Regards</P><P>Rahul</P></BODY></HTML> Wed, 03 Nov 2010 11:41:37 GMT https://community.cisco.com/t5/network-security/icmp-list/m-p/1505277#M599341 rmavila 2010-11-03T11:41:37Z https://community.cisco.com/t5/network-security/icmp-list/m-p/1505278#M599342 <HTML><HEAD></HEAD><BODY><P>Thanks for the answers. A small bit here, since the acl says any destination, shouldnt icmp to fw interface also count under those.</P><P>If this is not it, where would icmp from same source subnet to fw interface be accounted for.</P><P></P><P>TIA</P></BODY></HTML> Thu, 04 Nov 2010 00:27:05 GMT https://community.cisco.com/t5/network-security/icmp-list/m-p/1505278#M599342 suthomas1 2010-11-04T00:27:05Z https://community.cisco.com/t5/network-security/icmp-list/m-p/1505279#M599343 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>ICMP traffic to the firewall is not controlled using access-lists. Instead you will have to use the "icmp" command details of which can be found below:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1685750">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1685750</A></P><P></P><P>For example, if you would like to allow the subnet 192.168.100.0/24 to ping the "inside" interface of the firewall, the command would be</P><P></P><P>icmp permit 192.168.100.0 255.255.255.0 inside</P><P></P><P>Hope that clears things out!!</P><P></P><P>Cheers,</P><P>Prapanch</P></BODY></HTML> Thu, 04 Nov 2010 03:14:21 GMT https://community.cisco.com/t5/network-security/icmp-list/m-p/1505279#M599343 praprama 2010-11-04T03:14:21Z