Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6308
Views
15
Helpful
5
Replies

Block ping to outside interface but allow ping out from ASA?

Go to solution
dkramkowski
Level 1
Level 1

‎10-11-2013 07:42 AM - edited ‎03-11-2019 07:50 PM

I have an ASA5510 in use that I have set up to block pings on the outside interfaces using 'icmp deny any Outside' and 'icmp deny any backup'. Currently, I simply have a secondary route with a higher metric that points out our backup connection. The problem with that being it seems to only work if the physical link on the promary goes down, so I was was going to implement a SLA setup that would monitor the gateway on the other end of our main connection, and if that became unreachable, traffic would automatically route out our backup. The problem is, before I set up the SLA, I tried pinging the gateway and found I couldn't. I have ICMP inspect turned on, so from inside, pings work as expected, but from the ASA itsself, pings to the outside world fail. Through testing, I found that it's the icmp deny command I have set up that's causing it to fail. When I disabled it, I was able to ping the gateway, but of course, then the ASA would respond to pings on its outside interface.

I tried adding 'icmp permit host {outside IP} Outside', and making sure that it was above the deny command, but that didn't work.

Is there a command that I'm missing (or have forgotten) that will prevent the ASA from replying to pings on its outside interfaces, but will allow the ASA itsself to ping out, thus allowing me to set up the SLA?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 07:47 AM

Hi,

Could you try removing all "icmp" commands related to "Outside" and try this

icmp permit any echo-reply Outside

icmp permit any time-exceeded Outside

icmp permit any unreachable Outside

- Jouni

View solution in original post

5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 07:47 AM

Hi,

Could you try removing all "icmp" commands related to "Outside" and try this

icmp permit any echo-reply Outside

icmp permit any time-exceeded Outside

icmp permit any unreachable Outside

- Jouni

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-11-2013 08:01 AM

And to further clarify,

If you have no "icmp" configurations for an interface then the interface accepts ICMP Echo to the interface and to my understanding also allows the return packets to ICMP Echo that the ASA generated.

However when we add the above statements to the configurations then the "icmp" configurations isnt anymore blank and will only match replys sent to the ASA which means ASA can generate ICMP Echos and receive reply.

However a ICMP Echo generated to the ASA interface IP address wont match anything now configured and therefore ASA will block ICMP Echo from any source address

Hopefully I didnt get anything wrong myself

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

0 Helpful

Go to solution
dkramkowski
Level 1
Level 1
In response to Jouni Forss

‎10-11-2013 10:20 AM

That seems to have worked perfectly, Thanks!

0 Helpful

Go to solution
micwang@eurofins.com
Level 1
Level 1
In response to Jouni Forss

‎11-04-2018 04:02 AM - edited ‎11-04-2018 04:03 AM

This solution has simply resolved my issue. Many thanks.

0 Helpful

Go to solution
msitler21
Level 1
Level 1

‎03-21-2022 02:36 PM

Thank you! Worked great

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card