Solved: Re: How ASA Handles PING Traffic

Srinivasan Nagarajan · ‎06-01-2018

Hi Experts,

Could you please assist with how ASA handles ping. I've seen in docs that if Asa wants to allow Ping THROUGH the firewall , Icmp inspection needs to be enabled. Is that fine or we need to allow ACL as well to work.

Also, please guide how Asa handles Icmp traffic generated FROM the firewall (Ex. from ASA to Inside/outside) hosts

Regards,

Srinivasan

Dennis Mink · ‎06-02-2018

its actually pretty simple. if you allow icmp from inside to out (either with or without an ACL) the icmp inspection will dynamically allow the echo reply back to the source of the ping. if you trun icmp inspection off, the you would need to explicitly permit icmp echo replies back in. I hope that explains it.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Dennis Mink · ‎06-02-2018

its actually pretty simple. if you allow icmp from inside to out (either with or without an ACL) the icmp inspection will dynamically allow the echo reply back to the source of the ping. if you trun icmp inspection off, the you would need to explicitly permit icmp echo replies back in. I hope that explains it.

Please remember to rate useful posts, by clicking on the stars below.

Srinivasan Nagarajan · ‎06-02-2018

Hi Dennis, Thanks for the reply. Please assist by default to which zone (Inside/Outside/DMZ) ICMP ping is allowed when traffic is initiated FROM ASA firewall.

Marvin Rhoads · ‎06-02-2018

When you initiate icmp (or other) traffic from the firewall itself, it will be allowed (absent an (uncommon) output ACL) and sourced from the interface which is the current egress for the destination per the ASA's routing table.