Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
2
Replies

Enabling ICMP through ASA Firewalls

Drader
Level 1
Level 1

‎09-13-2022 11:05 PM

Hello, I am new to networking and was wondering if anyone can tell me what is the difference (like in what situation will I need to use them) amongst the following commands for cisco ASA:

1. inspect icmp - for policy-map global_policy

2. access-list icmp extended permit icmp any any (and using access group after)

3. fixup protocol icmp

Thank you in advance!

0 Helpful
2 Replies 2

Kasun Bandara
VIP
VIP

‎09-13-2022 11:51 PM

1st and 3rd commands using to inform firewall to treat ICMP traffic as a statefull way. 2nd command is allowing ICMP traffic using ACL applied to respect direction and interface.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Rob Ingram
VIP
VIP

‎09-13-2022 11:54 PM - edited ‎09-14-2022 12:06 AM

@Drader #1 and #3 turn on ICMP stateful inspection globally. The command "fixup protocol icmp" (#3) is just a shortcut to enable icmp inspection under the global policy (#1) - both achieve the same thing.

#2 explictly permits the return ICMP traffic on the ACL, usually this is inbound on the outside interface. You would use the ACL if you didn't want to inspect ICMP. The ACL can of course be configured granularly, so explictly permitting ICMP traffic for certain hosts/subnets, and denying for the rest.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card