Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12183
Views
5
Helpful
4
Replies

Blocking All Incoming ICMP Traffic With Cisco ASA 5510

kbrown001
Level 1
Level 1

‎11-16-2010 06:21 AM - edited ‎03-11-2019 12:10 PM

This is a fairly simple question and i'm sure there is a fairly simple answer but for whatever reason I can't seem to get ICMP blocked properly on my external interface of my ASA.  I obviously don't want my external interface to be pingable but no matter what i configure in the ACL I am still able to ping the outside IP from outside of our network.

external ip is xxx.xxx.xxx.178.

What is the easiest, best practice way to accomplish this?

Labels:
0 Helpful
4 Replies 4

David White
Cisco Employee
Cisco Employee

‎11-16-2010 07:15 AM

ACLs applied to the ASA only affect Transient traffic.  To block ICMP *to* the interface, use the 'icmp' command.

   icmp deny any

Example:

   icmp deny any outside

kbrown001
Level 1
Level 1
In response to David White

‎11-16-2010 08:39 AM

fantastic!  that worked like a charm!

Now I have another question:

because of a recent ISP/IP naming scheme change we have had to NAT our internal exchange server to a public IP address in a block that was provided to us.

Because of this NATing, even though the server is behind the firewall it appears to the outside world as though it is external.  Meaning that when I run a port/ping scan on it for security from the outside the following happens:

I get a ping reply, obviously this must be stopped it is a major security hole.  So I need to know how to go about blocking ICMP requests for this nated address.

secondly a few ports show as open to the outside world

25
54
80
135
139
443
593
691
1025
1026

I'm sure that some of these ports need to be open, like the smtp port or the port 691 for ms exchange routing but my question is overall what would be the best practice to properly secure this server and make sure it isn't security compromised.

I'm using the GRC Shields up port scanner and when I run the scan from anything else in the company (servers/workstations) the regular external ip of the firewall shows up, and everything passes perfectly.  All ports are in stealth mode and there is no packet or icmp replies.

But when i run the scanner on the mail server with the nat rule nothing is stealthed, instead most of the ports are just blocked, with the exception of the ones mentioned above being open and the icmp reply.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to kbrown001

‎11-16-2010 12:16 PM

You can block these packets on your access-list that is applied on your outside.

access-list  line 1 deny icmp any xxx.xxx.xxx.178
access-list  line 1 deny tcp any xxx.xxx.xxx.178 eq 
access-list  line 1 deny tcp any xxx.xxx.xxx.178 eq 
...

Let us know if it fixes the issue.

PK

0 Helpful

David White
Cisco Employee
Cisco Employee
In response to kbrown001

‎11-16-2010 02:30 PM

Interface ACLs are used to permit/deny transient traffic through the ASA.  Therefore, if you scanner is showing TCP ports as being open, then you must have an ACL applied to your interface that is permitting the traffic.  You can use the "Packet Tracer" tool in ASDM (or the CLI) if you need help locating which entry in the ACL is permitting the traffic.


As for security, only permit the ports which are required to provide the service you are offering up.


Sincerely,

David.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card