Solved: How do I block pings on the outside interface of a ASA 5505?

tdennehy · ‎05-03-2013

I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.

I created an ACL to try and do the trick, also to no avail:

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in in interface outside

access-group outside_in in interface outside

Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/

Thanks in advance...

Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface

Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.

ASA5505(config)#icmp deny any outside

You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

Jouni Forss · ‎05-03-2013

Hi,

The IPs you mention are part of the "management" interface, NOT the "outside"

To block that icmp you would have to use

icmp deny any management

- Jouni

View solution in original post

Jouni Forss · ‎05-03-2013

Hi,

This command should basically do it.

Can you provide us with the output of the command "show run icmp"

On the newer softwares you are able to also configure an ACL that controls the traffic targeted to your actual ASA interface. The above ACL wont do that. It controls traffic "through the box"

- Jouni

tdennehy · ‎05-03-2013

ASA(config)# sh run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

ASA(config)#

Jouni Forss · ‎05-03-2013

Hi,

Seems you only have the statement blocking the ICMP to the "outside" interface IP address and this should work.

I tested this on my own ASA also and seems to work fine when I enter/remove/re-enter the command.

Maybe it is some bug or the ASA is in need of a reload or something.

Could you share the whole configuration (partially mask public IP addresses etc)

Here is a link to ASA 8.2 Command Reference and the ICMP command

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i1.html#wp1697623

- Jouni

tdennehy · ‎05-03-2013

Rebooted the ASA. No change. Still can ping 10.47.240.225 from 10.47.240.150, which is a host on the little switch where the ASA's outside interface is connected. Still on the bench... not production, etc.

Here's the config...

ASA Version 8.2(2)

!

hostname ASA

domain-name guest.com

enable password ulioxzQNlwbZR encrypted

passwd ulioxzNlUYwNR encrypted

names

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan80

nameif inside

security-level 100

ip address 192.168.96.1 255.255.252.0

!

interface Vlan240

nameif management

security-level 100

ip address 10.47.240.225 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 80

!

interface Ethernet0/2

switchport access vlan 80

!

interface Ethernet0/3

switchport access vlan 80

!

interface Ethernet0/4

switchport access vlan 80

!

interface Ethernet0/5

switchport access vlan 80

!

interface Ethernet0/6

switchport access vlan 240

!

interface Ethernet0/7

switchport access vlan 240

!

ftp mode passive

dns server-group DefaultDNS

domain-name guest.com

same-security-traffic permit inter-interface

access-list outside_in extended deny ip any any log

access-list outside_in extended permit icmp any any echo-reply

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

route management 10.2.10.10 255.255.255.255 10.47.240.1 1

route management 10.57.3.10 255.255.255.255 10.47.240.1 1

route management 10.96.1.12 255.255.255.255 10.47.240.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (management) host 10.2.10.10

key *****

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 management

ssh timeout 5

console timeout 0

dhcprelay server 10.96.1.12 management

dhcprelay enable inside

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server management 10.57.240.5 BlahBlahBlah

webvpn

anyconnect-essentials

username BlahBlahBlah password c23.VFGsxHlpzvDf rypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callyourmom@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:544e8d1dff1e5dfdd277d295328e7321

: end

ASA#

Jouni Forss · ‎05-03-2013

Hi,

The IPs you mention are part of the "management" interface, NOT the "outside"

To block that icmp you would have to use

icmp deny any management

- Jouni

tdennehy · ‎05-03-2013

As you quickly figured out, I was configuring the wrong interface. :|

Thanks for you help.

Jouni Forss · ‎05-03-2013

No problem,

Glad we sorted it out

- Jouni

sokakkar · ‎05-03-2013

Hi,

ASA5505(config)#icmp deny any outside

This command should be enough to block the pings to outside interface. I haven't seen a similar caveat yet. As Jauni mentioned, can you paste the complete 'show run' for review?

-

Sourav