Solved: Thanks Vibhor .

shoaib sheikh · ‎06-18-2015

config t
(config)# policy-map global_policy
(config-pmap)# class inspection_default
(config-pmap-c)# no inspect icmp
(config-pmap-c)# exit
(config-pmap)# exit
(config)# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.196.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/84/90 ms

ASA gives logs in ASDM as follows:

An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.

I have applied ACL to block any any ip and any any icmp on outside interface. Is this a normal behaviour of ASA. How do I block icmp ?

Vibhor Amrodia · ‎06-18-2015

Hi,

Normal ACL would only block traffic which is through the box.

This ping is initiated from the ASA device interface so you would need to use the "ICMP deny" command.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎06-18-2015

Hi,