05-03-2013 08:23 AM - edited 03-11-2019 06:38 PM
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection
Solved! Go to Solution.
05-03-2013 01:06 PM
Hi,
The IPs you mention are part of the "management" interface, NOT the "outside"
To block that icmp you would have to use
icmp deny any management
- Jouni
05-03-2013 08:56 AM
Hi,
This command should basically do it.
Can you provide us with the output of the command "show run icmp"
On the newer softwares you are able to also configure an ACL that controls the traffic targeted to your actual ASA interface. The above ACL wont do that. It controls traffic "through the box"
- Jouni
05-03-2013 11:09 AM
ASA(config)# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
ASA(config)#
05-03-2013 11:18 AM
Hi,
Seems you only have the statement blocking the ICMP to the "outside" interface IP address and this should work.
I tested this on my own ASA also and seems to work fine when I enter/remove/re-enter the command.
Maybe it is some bug or the ASA is in need of a reload or something.
Could you share the whole configuration (partially mask public IP addresses etc)
Here is a link to ASA 8.2 Command Reference and the ICMP command
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i1.html#wp1697623
- Jouni
05-03-2013 01:01 PM
Rebooted the ASA. No change. Still can ping 10.47.240.225 from 10.47.240.150, which is a host on the little switch where the ASA's outside interface is connected. Still on the bench... not production, etc.
Here's the config...
ASA Version 8.2(2)
!
hostname ASA
domain-name guest.com
enable password ulioxzQNlwbZR encrypted
passwd ulioxzNlUYwNR encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan80
nameif inside
security-level 100
ip address 192.168.96.1 255.255.252.0
!
interface Vlan240
nameif management
security-level 100
ip address 10.47.240.225 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 80
!
interface Ethernet0/2
switchport access vlan 80
!
interface Ethernet0/3
switchport access vlan 80
!
interface Ethernet0/4
switchport access vlan 80
!
interface Ethernet0/5
switchport access vlan 80
!
interface Ethernet0/6
switchport access vlan 240
!
interface Ethernet0/7
switchport access vlan 240
!
ftp mode passive
dns server-group DefaultDNS
domain-name guest.com
same-security-traffic permit inter-interface
access-list outside_in extended deny ip any any log
access-list outside_in extended permit icmp any any echo-reply
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route management 10.2.10.10 255.255.255.255 10.47.240.1 1
route management 10.57.3.10 255.255.255.255 10.47.240.1 1
route management 10.96.1.12 255.255.255.255 10.47.240.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 10.2.10.10
key *****
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
console timeout 0
dhcprelay server 10.96.1.12 management
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server management 10.57.240.5 BlahBlahBlah
webvpn
anyconnect-essentials
username BlahBlahBlah password c23.VFGsxHlpzvDf rypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callyourmom@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:544e8d1dff1e5dfdd277d295328e7321
: end
ASA#
05-03-2013 01:06 PM
Hi,
The IPs you mention are part of the "management" interface, NOT the "outside"
To block that icmp you would have to use
icmp deny any management
- Jouni
05-03-2013 02:08 PM
As you quickly figured out, I was configuring the wrong interface. :|
Thanks for you help.
05-03-2013 02:19 PM
No problem,
Glad we sorted it out
- Jouni
05-03-2013 01:03 PM
Hi,
ASA5505(config)#icmp deny any outside
This command should be enough to block the pings to outside interface. I haven't seen a similar caveat yet. As Jauni mentioned, can you paste the complete 'show run' for review?
-
Sourav
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide