06-01-2018 12:16 PM - edited 02-21-2020 07:50 AM
Hi Experts,
Could you please assist with how ASA handles ping. I've seen in docs that if Asa wants to allow Ping THROUGH the firewall , Icmp inspection needs to be enabled. Is that fine or we need to allow ACL as well to work.
Also, please guide how Asa handles Icmp traffic generated FROM the firewall (Ex. from ASA to Inside/outside) hosts
Regards,
Srinivasan
Solved! Go to Solution.
06-02-2018 04:45 AM - edited 06-02-2018 04:46 AM
its actually pretty simple. if you allow icmp from inside to out (either with or without an ACL) the icmp inspection will dynamically allow the echo reply back to the source of the ping. if you trun icmp inspection off, the you would need to explicitly permit icmp echo replies back in. I hope that explains it.
06-02-2018 04:45 AM - edited 06-02-2018 04:46 AM
its actually pretty simple. if you allow icmp from inside to out (either with or without an ACL) the icmp inspection will dynamically allow the echo reply back to the source of the ping. if you trun icmp inspection off, the you would need to explicitly permit icmp echo replies back in. I hope that explains it.
06-02-2018 01:18 PM
Hi Dennis, Thanks for the reply. Please assist by default to which zone (Inside/Outside/DMZ) ICMP ping is allowed when traffic is initiated FROM ASA firewall.
06-02-2018 07:08 PM
When you initiate icmp (or other) traffic from the firewall itself, it will be allowed (absent an (uncommon) output ACL) and sourced from the interface which is the current egress for the destination per the ASA's routing table.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide