cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
557
Views
0
Helpful
2
Replies

Enabling ICMP through ASA Firewalls

Drader
Level 1
Level 1

Hello, I am new to networking and was wondering if anyone can tell me what is the difference (like in what situation will I need to use them) amongst the following commands for cisco ASA:

1. inspect icmp - for policy-map global_policy

2. access-list icmp extended permit icmp any any (and using access group after)

3. fixup protocol icmp

Thank you in advance!

2 Replies 2

1st and 3rd commands using to inform firewall to treat ICMP traffic as a statefull way. 2nd command is allowing ICMP traffic using ACL applied to respect direction and interface.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

@Drader #1 and #3 turn on ICMP stateful inspection globally. The command "fixup protocol icmp" (#3) is just a shortcut to enable icmp inspection under the global policy (#1) - both achieve the same thing.

#2 explictly permits the return ICMP traffic on the ACL, usually this is inbound on the outside interface. You would use the ACL if you didn't want to inspect ICMP. The ACL can of course be configured granularly, so explictly permitting ICMP traffic for certain hosts/subnets, and denying for the rest.

 

Review Cisco Networking for a $25 gift card