Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
2
Replies

ASA Firewall - Restrict ICMP from a subnet to any

par13
Level 1
Level 1

‎04-04-2016 08:16 AM - edited ‎03-12-2019 12:34 AM

Hi

I am trying to create a simple access-list rule that restrict an external subnet to ping to any host behind the firewall.

The rule is access-list outside-access_in permit icmp host 172.2.1.2 any

The rule loads without no issues. But, the external host cannot ping to any host in the firewall.

However, if one change the rule to say access-list outside-access_in permit icmp any any, then, it works.

What am I missing?

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎04-04-2016 09:25 AM

>  access-list outside-access_in permit icmp host 172.2.1.2 any

Which IP are you using here? Up to ASA v8.2 it has to be the translated IP, from 8.3 onwards, it has to be the real IP of the host.

And do you have a valid translation or have you exempted the traffic from NAT (based on your needs)?

0 Helpful

par13
Level 1
Level 1
In response to Karsten Iwen

‎04-04-2016 10:17 AM

HI

This is an old PIX 515 still running 6.3(5)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card