Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4268
Views
0
Helpful
4
Replies

icmp deny any inside on ASA

Go to solution
mahesh18
Level 6
Level 6

‎10-26-2012 09:07 PM - edited ‎03-11-2019 05:14 PM

Hi Everyone,

I applied this on ASA

icmp deny any inside

After applying this

1>From ASA  i can ping the inside interface IP

ciscoasa# ping 192.168.1.1 *********************************************************************************************Inside Interface

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I can ping the outside IP

ciscoasa# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/54/60 ms

ciscoasa#

2>From PC connected to ASA   i can not ping the inside interface but i can pint the internet sites.

Need to understand why from PC  i can not ping the ASA inside IP  but i can ping internet sites?

Thanks

Mahesh

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎10-26-2012 11:46 PM

You are using the wrong command to achieve your goals.

The icmp-command controlls what type of icmp-messages the attached PCs can send *to* the ASA. As you have a deny in the rule the ping doesn't work.

Access-Lists control what can be sent *through* the ASA. You have to add a line "deny icmp any any" to the ACL on your inside interface. If you don't have an ACL yet, then you need a second line "permit ip any any" to allow the rest.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-27-2012 12:05 AM

1. The "icmp deny any inside" command allows you to block ping towards the ASA inside interface. So you won't be able to ping the inside interface of the ASA from a host connected to the internal network. You can't test to ping it from the ASA itself as it is meant to be from hosts behind the inside interface.

2. That "icmp deny any inside" command only to allow or block ping towards the ASA interfaces, not ping through the ASA. If you are trying to ping the internet sites and want to block those, then you would need to configure interface access-list to block it and apply it with access-group command on the interface.

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎10-27-2012 09:37 AM

And if you now plan your config, remember that ICMP is not your enemy. ICMP has also some useful features like unreachables that should be allowed in many cases.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎10-26-2012 11:46 PM

You are using the wrong command to achieve your goals.

The icmp-command controlls what type of icmp-messages the attached PCs can send *to* the ASA. As you have a deny in the rule the ping doesn't work.

Access-Lists control what can be sent *through* the ASA. You have to add a line "deny icmp any any" to the ACL on your inside interface. If you don't have an ACL yet, then you need a second line "permit ip any any" to allow the rest.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-27-2012 12:05 AM

1. The "icmp deny any inside" command allows you to block ping towards the ASA inside interface. So you won't be able to ping the inside interface of the ASA from a host connected to the internal network. You can't test to ping it from the ASA itself as it is meant to be from hosts behind the inside interface.

2. That "icmp deny any inside" command only to allow or block ping towards the ASA interfaces, not ping through the ASA. If you are trying to ping the internet sites and want to block those, then you would need to configure interface access-list to block it and apply it with access-group command on the interface.

Hope that helps.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jennifer Halim

‎10-27-2012 07:44 AM

Hi Karsten and Jennifer,

So explained the concept very well.

Many thanks again

Regards

Mahesh

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎10-27-2012 09:37 AM

And if you now plan your config, remember that ICMP is not your enemy. ICMP has also some useful features like unreachables that should be allowed in many cases.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card