https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125969#M893892 <HTML><HEAD></HEAD><BODY><P>Thanks Jon! </P></BODY></HTML> Thu, 06 Nov 2008 22:12:33 GMT John Blakley 2008-11-06T22:12:33Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125959#M893876 <P>I can't understand this one. I have a netopia router in front of an ASA. The ASA is getting an address from the provider for the time being, but I can ping that address. In my logs I see where the icmp connection is being built and torn down on the ASA, but it's from a different ip than mine. Is it possible that I'm hitting the netopia router and it's responding for the ASA?</P><P></P><P>Thanks,</P><P></P><P>John</P> Mon, 11 Mar 2019 14:09:29 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125959#M893876 John Blakley 2019-03-11T14:09:29Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125960#M893878 <HTML><HEAD></HEAD><BODY><P>John</P><P></P><P>Could you provide a bit of addressing - doesn't have to be the real addressing just use any addressing to give example. Is it </P><P></P><P>LAN -&gt; ASA -&gt; Netopia router</P><P></P><P>If so could you provide addressing for interfaces and also where you are pinging from.</P><P></P><P>What do you mean when you say ASA ia getting address from provider - do you mean DHCP ?</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 21:19:17 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125960#M893878 Jon Marshall 2008-11-06T21:19:17Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125961#M893880 <HTML><HEAD></HEAD><BODY><P>It's a pppoe account that's assigned an address. The current layout is </P><P></P><P>LAN --&gt; ASA --&gt; Netopia --&gt; Cloud</P><P></P><P>The ASA public is 192.168.1.5</P><P></P><P>The Netopia is supposedly in bridging mode.</P><P></P><P>From my box (outside of their network), I can ping 192.168.1.5. In the logs I see:</P><P></P><P>%ASA-6-302020: Built inbound ICMP connection for faddr 1.1.1.1 (my public)/37737 gaddr</P><P>192.168.1.5/0 laddr 192.168.1.5/0</P><P></P><P>This makes NO sense. I don't have ACLs that are allowing the traffic through, and I was always under the assumption that the public side always dropped any traffic unless explicitly permitted.</P><P></P><P>Thanks,</P><P></P><P>John</P><P></P><P></P></BODY></HTML> Thu, 06 Nov 2008 21:33:21 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125961#M893880 John Blakley 2008-11-06T21:33:21Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125962#M893882 <HTML><HEAD></HEAD><BODY><P>John</P><P></P><P>Sorry it's been a long day so i may be a bit slow ! You are pinging from another public IP address, nothing to do with the LAN behind the ASA.</P><P></P><P>If so an acl on the outside interface of the ASA does not control whether you can ping the outside interface but whether ICMP is allowed through.</P><P></P><P>Look in the ASA config to see if there is a line </P><P></P><P>icmp permit any outside</P><P></P><P>Again, apologies if i am still not understanding.</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 21:42:39 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125962#M893882 Jon Marshall 2008-11-06T21:42:39Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125963#M893883 <HTML><HEAD></HEAD><BODY><P>It's understandable...it has been a LONG day <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>I'm pinging from one public to another public (outside interface on ASA). There's no icmp lines on there, and to verify I did the following:</P><P></P><P>access-list TEST deny icmp any any</P><P>access-list TEST permit ip any any</P><P></P><P>access-group TEST in interface outside</P><P></P><P>I can still ping with no hits on the acl. I believe the Netopia is answering for the request.</P><P></P><P>--John</P></BODY></HTML> Thu, 06 Nov 2008 21:46:12 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125963#M893883 John Blakley 2008-11-06T21:46:12Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125964#M893885 <HTML><HEAD></HEAD><BODY><P>Okay i need some sleep <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>I'm pinging from one public to another public (outside interface of ASA) - yes but where from a topology point of view is the other public IP ie. the public IP that is not the outside interface of the ASA ?</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 21:59:53 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125964#M893885 Jon Marshall 2008-11-06T21:59:53Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125965#M893886 <HTML><HEAD></HEAD><BODY><P>It's in another state <span class="lia-unicode-emoji" title=":monkey_face:">🐵</span></P><P></P><P>It connects to us through easyvpn. I thought that was the problem, so I remoted into one of my laptops at my house, and I could ping it from there too. The ASA is just another device out on the internet. Does that help? It really makes no sense, and it's frustrating me. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I don't get frustrated easily.... LOL</P><P></P><P>--John</P></BODY></HTML> Thu, 06 Nov 2008 22:05:44 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125965#M893886 John Blakley 2008-11-06T22:05:44Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125966#M893887 <HTML><HEAD></HEAD><BODY><P>Lets use a bit of inverse logic. On your ASA</P><P></P><P>asa(config)# icmp deny any outside</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 22:05:45 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125966#M893887 Jon Marshall 2008-11-06T22:05:45Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125967#M893889 <HTML><HEAD></HEAD><BODY><P>LOL! That worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Now, why won't my acl block it?? It wasn't even touching my acl.</P></BODY></HTML> Thu, 06 Nov 2008 22:08:59 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125967#M893889 John Blakley 2008-11-06T22:08:59Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125968#M893891 <HTML><HEAD></HEAD><BODY><P>John</P><P></P><P>Think we have both had it today. </P><P></P><P>Your acl has no effect on ICMP traffic going to an interface on the ASA. An acl only effects ICMP traffic (and all other traffic) going through the ASA from one side to another.</P><P></P><P>Default must be to allow icmp but to all interfaces but it didn't used to be.</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 22:11:24 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125968#M893891 Jon Marshall 2008-11-06T22:11:24Z https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125969#M893892 <HTML><HEAD></HEAD><BODY><P>Thanks Jon! </P></BODY></HTML> Thu, 06 Nov 2008 22:12:33 GMT https://community.cisco.com/t5/network-security/icmp-being-allowed-through/m-p/1125969#M893892 John Blakley 2008-11-06T22:12:33Z