cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12559
Views
5
Helpful
4
Replies

Blocking All Incoming ICMP Traffic With Cisco ASA 5510

kbrown001
Level 1
Level 1

This is a fairly simple question and i'm sure there is a fairly simple answer but for whatever reason I can't seem to get ICMP blocked properly on my external interface of my ASA.  I obviously don't want my external interface to be pingable but no matter what i configure in the ACL I am still able to ping the outside IP from outside of our network.

external ip is xxx.xxx.xxx.178.

What is the easiest, best practice way to accomplish this?

4 Replies 4

David White
Cisco Employee
Cisco Employee

ACLs applied to the ASA only affect Transient traffic.  To block ICMP *to* the interface, use the 'icmp' command.

   icmp deny any

Example:

   icmp deny any outside

fantastic!  that worked like a charm!

Now I have another question:

because of a recent ISP/IP naming scheme change we have had to NAT our internal exchange server to a public IP address in a block that was provided to us.

Because of this NATing, even though the server is behind the firewall it appears to the outside world as though it is external.  Meaning that when I run a port/ping scan on it for security from the outside the following happens:

I get a ping reply, obviously this must be stopped it is a major security hole.  So I need to know how to go about blocking ICMP requests for this nated address.

secondly a few ports show as open to the outside world

25
54
80
135
139
443
593
691
1025
1026

I'm sure that some of these ports need to be open, like the smtp port or the port 691 for ms exchange routing but my question is overall what would be the best practice to properly secure this server and make sure it isn't security compromised.

I'm using the GRC Shields up port scanner and when I run the scan from anything else in the company (servers/workstations) the regular external ip of the firewall shows up, and everything passes perfectly.  All ports are in stealth mode and there is no packet or icmp replies.

But when i run the scanner on the mail server with the nat rule nothing is stealthed, instead most of the ports are just blocked, with the exception of the ones mentioned above being open and the icmp reply.

You can block these packets on your access-list that is applied on your outside.

access-list line 1 deny icmp any xxx.xxx.xxx.178

access-list line 1 deny tcp any xxx.xxx.xxx.178 eq

access-list line 1 deny tcp any xxx.xxx.xxx.178 eq

...

Let us know if it fixes the issue.

PK

Interface ACLs are used to permit/deny transient traffic through the ASA.  Therefore, if you scanner is showing TCP ports as being open, then you must have an ACL applied to your interface that is permitting the traffic.  You can use the "Packet Tracer" tool in ASDM (or the CLI) if you need help locating which entry in the ACL is permitting the traffic.


As for security, only permit the ports which are required to provide the service you are offering up.


Sincerely,

David.

Review Cisco Networking for a $25 gift card