06-18-2015 12:48 AM - edited 03-11-2019 11:08 PM
config t
(config)# policy-map global_policy
(config-pmap)# class inspection_default
(config-pmap-c)# no inspect icmp
(config-pmap-c)# exit
(config-pmap)# exit
(config)# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.196.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/84/90 ms
ASA gives logs in ASDM as follows:
An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.
I have applied ACL to block any any ip and any any icmp on outside interface. Is this a normal behaviour of ASA. How do I block icmp ?
Solved! Go to Solution.
06-18-2015 01:01 AM
Hi,
Normal ACL would only block traffic which is through the box.
This ping is initiated from the ASA device interface so you would need to use the "ICMP deny" command.
Refer:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047
Thanks and Regards,
Vibhor Amrodia
06-18-2015 01:01 AM
Hi,
Normal ACL would only block traffic which is through the box.
This ping is initiated from the ASA device interface so you would need to use the "ICMP deny" command.
Refer:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047
Thanks and Regards,
Vibhor Amrodia
06-21-2015 08:57 PM
Thanks Vibhor .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide