https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029765#M937212 <HTML><HEAD></HEAD><BODY><P>You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)</P><P></P><P>icmp deny any outside</P><P></P><P>Check this for more info</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466</A></P><P>M.</P><P>hope that helps rate if it doest</P></BODY></HTML> Mon, 26 May 2008 14:44:34 GMT m.sir 2008-05-26T14:44:34Z https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029764#M937211 <P>We recently had a security audit of our network carried out. </P><P></P><P>One of the minor points raised was that ping responses were received from our firewall's public IP address (i.e. the outside interface) and this may allow an attacker to enumerate our network.</P><P></P><P>We've therefore been asked to turn off ping responses from our outside interface.</P><P></P><P>However, I can't find a way to prevent our outside interface responding to ping requests sent from the internet? (I can successfully block ICMP requests going THROUGH the firewall)</P><P></P><P>I have an access-list applied to the outside interface with "deny icmp any any" but the outside interface still responds to pings.</P><P></P><P>How can this be achieved?</P><P></P><P></P><P></P> Mon, 11 Mar 2019 12:49:59 GMT https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029764#M937211 mitchen 2019-03-11T12:49:59Z https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029765#M937212 <HTML><HEAD></HEAD><BODY><P>You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)</P><P></P><P>icmp deny any outside</P><P></P><P>Check this for more info</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466</A></P><P>M.</P><P>hope that helps rate if it doest</P></BODY></HTML> Mon, 26 May 2008 14:44:34 GMT https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029765#M937212 m.sir 2008-05-26T14:44:34Z https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029766#M937213 <HTML><HEAD></HEAD><BODY><P>if you want asa not to respond to any icmp echo request coming from internet,use :</P><P></P><P></P><P>ASA5510-Single(config)# icmp deny any echo-reply outside</P><P></P><P>By this way,asa would still be able to ping any ip address on internet.</P><P></P><P>If you use :</P><P></P><P></P><P>ASA5510-Single(config)# icmp deny any outside</P><P></P><P></P><P>asa would not be able to ping on internet.</P><P></P><P></P><P>HTH,</P><P>Sushil </P><P>Cisco TAC</P></BODY></HTML> Mon, 26 May 2008 17:56:15 GMT https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029766#M937213 suschoud 2008-05-26T17:56:15Z https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029767#M937214 <HTML><HEAD></HEAD><BODY><P>Thanks, that worked fine.</P></BODY></HTML> Wed, 28 May 2008 08:33:04 GMT https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/1029767#M937214 mitchen 2008-05-28T08:33:04Z https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/4654863#M1092036 <P>Hi Buddy,</P><P>I have tried the command&nbsp;<SPAN>icmp deny any echo-reply outside but after my complete internet went down. Is it any alternative way i can restrict ping from internet&nbsp;</SPAN></P> Thu, 21 Jul 2022 13:18:00 GMT https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/4654863#M1092036 sv7 2022-07-21T13:18:00Z https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/4707977#M1094433 <P>The below command is correct.</P> <P>icmp permit any echo-reply Outside<BR />icmp permit any time-exceeded Outside<BR />icmp permit any unreachable Outside</P> <P>refer to:</P> <P><A href="https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-but-allow-ping-out-from-asa/td-p/2317192" target="_blank">https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-but-allow-ping-out-from-asa/td-p/2317192</A></P> Mon, 24 Oct 2022 07:56:09 GMT https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-of-asa-from-internet/m-p/4707977#M1094433 wangxkc 2022-10-24T07:56:09Z