Solved: Block ping to ASA but allow from certain IPs

Brad_Shawh · ‎07-20-2020

Hi

I am looking for a simple setup

1) Nobody should be able to ping my ASA's outside interface except (an Object group of) whitelisted IPs

2) We should be able to ping everything from inside to outside

How do I achieve this?

Thank you very much in advance.

Rob Ingram · ‎07-20-2020

Hi,

1. Use the command "icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name" to configure ICMP rules to ping the ASA's interface.

Reference:-

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html

2. Use command fixup protcol icmp to enable ICMP inspection for traffic through the ASA (from inside to outside).

HTH

View solution in original post

Rob Ingram · ‎07-22-2020

No, unfortunately you cant use an object with the "icmp" acl.

You would need to use the icmp command to control icmp traffic destinated to the ASA. A control plane ACL (rarely used IMO) could be used to control inbound VPN traffic (IPSec or SSL).

View solution in original post

Rob Ingram · ‎07-20-2020

Hi,

1. Use the command "icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name" to configure ICMP rules to ping the ASA's interface.

Reference:-

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html

2. Use command fixup protcol icmp to enable ICMP inspection for traffic through the ASA (from inside to outside).

HTH

balaji.bandi · ‎07-20-2020

icmp permit any outside - allow ping outside

then create an ACL to allow only those IP addresses.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Brad_Shawh · ‎07-20-2020

Could you please elaborate with an example? Thank you.

Rob Ingram · ‎07-20-2020

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:

ciscoasa(config)# icmp permit host 172.16.2.15 echo-reply outside 
ciscoasa(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside 
ciscoasa(config)# icmp permit any unreachable outside

balaji.bandi · ‎07-20-2020

# access-list ACL_IN permit icmp any any echo-reply
# access-list ACL_IN permit icmp any any echo
# access-list ACL_IN permit icmp any any time-exceeded
# access-group ACL_IN in interface outside

create ACL_IN with the IP address in it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Brad_Shawh · ‎07-22-2020

Would access list work with 'to the box' traffic?

I created the following ACL, please let me know if this is fine

icmp permit any echo-reply outside << ASA can ping any IP on Internet
icmp permit host a.b.c.d outside << a.b.c.d can ping ASA's Outside Interface
icmp deny any outside << Nobody can ping ASA' Outside Interface

*With this config, all my inside hosts are able to ping internet, which is fine.

Rob Ingram · ‎07-22-2020

No. An access list assigned to an interface e.g. "access-list OUTSIDE_IN pemit|deny icmp any any" denies or pemits traffic through the ASA not to the ASA's interface.

The configuration you provided with the command starting icmp ....... controls traffic to the ASA's interface, and has nothing to do with allowing inside hosts to ping the internet.

Brad_Shawh · ‎07-22-2020

Thank you,

Please ignore my point about 'through the box' traffic.

So, the configuration I pasted is good enough, correct?

Two questions

1) I assume there is no way to use object group in this 'icmp' acl? The best way to add entries is use ASDM and use 'insert' feature, correct?

2) I tried using control plane ACL to deny ICMP traffic, it didn't work. Does control place ACL not work with ICMP?

Rob Ingram · ‎07-22-2020

No, unfortunately you cant use an object with the "icmp" acl.

You would need to use the icmp command to control icmp traffic destinated to the ASA. A control plane ACL (rarely used IMO) could be used to control inbound VPN traffic (IPSec or SSL).

Brad_Shawh · ‎07-22-2020

Thank you very much :)