07-20-2020 12:14 PM - edited 07-20-2020 12:17 PM
Hi
I am looking for a simple setup
1) Nobody should be able to ping my ASA's outside interface except (an Object group of) whitelisted IPs
2) We should be able to ping everything from inside to outside
How do I achieve this?
Thank you very much in advance.
Solved! Go to Solution.
07-20-2020 12:20 PM
Hi,
1. Use the command "icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name" to configure ICMP rules to ping the ASA's interface.
Reference:-
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html
2. Use command fixup protcol icmp to enable ICMP inspection for traffic through the ASA (from inside to outside).
HTH
07-22-2020 10:10 AM
07-20-2020 12:20 PM
Hi,
1. Use the command "icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name" to configure ICMP rules to ping the ASA's interface.
Reference:-
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html
2. Use command fixup protcol icmp to enable ICMP inspection for traffic through the ASA (from inside to outside).
HTH
07-20-2020 12:23 PM
icmp permit any outside - allow ping outside
then create an ACL to allow only those IP addresses.
07-20-2020 12:26 PM
Could you please elaborate with an example? Thank you.
07-20-2020 12:31 PM
The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
ciscoasa(config)# icmp permit host 172.16.2.15 echo-reply outside
ciscoasa(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside
ciscoasa(config)# icmp permit any unreachable outside
07-20-2020 12:43 PM
# access-list ACL_IN permit icmp any any echo-reply
# access-list ACL_IN permit icmp any any echo
# access-list ACL_IN permit icmp any any time-exceeded
# access-group ACL_IN in interface outside
create ACL_IN with the IP address in it.
07-22-2020 08:48 AM
Would access list work with 'to the box' traffic?
I created the following ACL, please let me know if this is fine
icmp permit any echo-reply outside << ASA can ping any IP on Internet
icmp permit host a.b.c.d outside << a.b.c.d can ping ASA's Outside Interface
icmp deny any outside << Nobody can ping ASA' Outside Interface
*With this config, all my inside hosts are able to ping internet, which is fine.
07-22-2020 09:05 AM
No. An access list assigned to an interface e.g. "access-list OUTSIDE_IN pemit|deny icmp any any" denies or pemits traffic through the ASA not to the ASA's interface.
The configuration you provided with the command starting icmp ....... controls traffic to the ASA's interface, and has nothing to do with allowing inside hosts to ping the internet.
07-22-2020 10:01 AM
Thank you,
Please ignore my point about 'through the box' traffic.
So, the configuration I pasted is good enough, correct?
Two questions
1) I assume there is no way to use object group in this 'icmp' acl? The best way to add entries is use ASDM and use 'insert' feature, correct?
2) I tried using control plane ACL to deny ICMP traffic, it didn't work. Does control place ACL not work with ICMP?
07-22-2020 10:10 AM
07-22-2020 10:25 AM
Thank you very much :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide