Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
0
Helpful
5
Replies

Deny ping on outside interface while allowing inside hosts to ping external hosts

scotteberl
Level 1
Level 1

‎11-20-2014 06:00 PM - edited ‎03-11-2019 10:07 PM

Been wresting with this one for a bit not.

 

Running IOS 9.2 on a ASA5505

 

Can anyone tell me how I could accomplish this? I know how to disable ping on the outside interface using icmp deny any outside but then when I try to ping an external ip the replies seem to never come back.

Labels:
0 Helpful
5 Replies 5

ghostinthenet
Level 7
Level 7

‎11-20-2014 06:46 PM

Denying ICMP packets wholesale isn't a practice I recommend, only because you're disabling essential control packets along with ping requests. Instead of turning it off with "icmp deny any outside", try putting something like "deny icmp any any echo" in the ACL for your outside interface. This will prevent external ping traffic, but allow other ICMP to pass... including replies to ping requests generated by internal devices.

0 Helpful

scotteberl
Level 1
Level 1
In response to ghostinthenet

‎11-20-2014 07:44 PM

Thanks for the reply Jody. I ended up getting it working using the following configuration items:

 

icmp permit any echo-reply OUTSIDE
icmp deny any echo OUTSIDE

 

0 Helpful

ghostinthenet
Level 7
Level 7
In response to scotteberl

‎11-20-2014 09:56 PM

That will work, too.

Also, it's best to make sure you're permitting all of the other ICMP types other than echo so that you don't lose control functions like path mtu discovery, network unreachable, traceroute, &c.

0 Helpful

scotteberl
Level 1
Level 1
In response to ghostinthenet

‎11-21-2014 01:34 PM

So you don't see allowing ping to the outside interface of the ASA as a security concern?

0 Helpful

ghostinthenet
Level 7
Level 7
In response to scotteberl

‎11-21-2014 02:28 PM

Personally, no... but that's up to you.

What I'm saying is that even if you are blocking pings to your ASA, you should make sure that other ICMP traffic is permitted in. These are used for various Internet control functions and you're potentially limiting functionality and troubleshooting capabilities by blocking them.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card