Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
2
Replies

Denying ICMP from one specific host

dimensijus
Level 1
Level 1

‎03-26-2023 01:19 AM

Hi,

The result I am trying to achieve is blocking the ICMP traffic from 192.168.100.101 pc (inside traffic) to 192.168.101.00/24 (outside) trafic.

I've configured an ACL, but for some reason the ICMP still travel through ASA:
access-list outside line 1 extended permit icmp any any
access-list outside line 2 extended deny icmp host 192.168.100.101 192.168.101.0 255.255.255.0 echo
access-list outside line 2 extended deny icmp host 192.168.100.101 192.168.101.0 255.255.255.0 echo-reply
access-list outside line 2 extended deny icmp host 192.168.100.101 192.168.101.0 255.255.255.0 unreachable

access-group outside in interface outside

Any thoughts why ICMP is still traveling from 192.168.100.101 to 192.168.101.100?

Thanks in advance.

0 Helpful
2 Replies 2

Octavian Szolga
Level 4
Level 4

‎03-26-2023 11:20 PM - edited ‎03-26-2023 11:43 PM

Hi,

You applied the ACL on the wrong interface. Also, the first line allows all ICMP traffic making the rest of lines useless.

You want to apply the ACL inbound on inside. Based on your description, 192.168.100.101 belongs to inside.

BR,

Octavian

0 Helpful

MHM Cisco World
VIP
VIP

‎03-26-2023 11:28 PM

access-list outside line 1 extended permit icmp any any

This make all icmp allow

You need to delete this acl line and add it again with line number make it in tail of acl not in top 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card