11-20-2014 06:00 PM - edited 03-11-2019 10:07 PM
Been wresting with this one for a bit not.
Running IOS 9.2 on a ASA5505
Can anyone tell me how I could accomplish this? I know how to disable ping on the outside interface using icmp deny any outside but then when I try to ping an external ip the replies seem to never come back.
11-20-2014 06:46 PM
Denying ICMP packets wholesale isn't a practice I recommend, only because you're disabling essential control packets along with ping requests. Instead of turning it off with "icmp deny any outside", try putting something like "deny icmp any any echo" in the ACL for your outside interface. This will prevent external ping traffic, but allow other ICMP to pass... including replies to ping requests generated by internal devices.
11-20-2014 07:44 PM
Thanks for the reply Jody. I ended up getting it working using the following configuration items:
icmp permit any echo-reply OUTSIDE
icmp deny any echo OUTSIDE
11-20-2014 09:56 PM
That will work, too.
Also, it's best to make sure you're permitting all of the other ICMP types other than echo so that you don't lose control functions like path mtu discovery, network unreachable, traceroute, &c.
11-21-2014 01:34 PM
So you don't see allowing ping to the outside interface of the ASA as a security concern?
11-21-2014 02:28 PM
Personally, no... but that's up to you.
What I'm saying is that even if you are blocking pings to your ASA, you should make sure that other ICMP traffic is permitted in. These are used for various Internet control functions and you're potentially limiting functionality and troubleshooting capabilities by blocking them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide