Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
10
Helpful
3
Replies

icmp list

Go to solution
suthomas1
Level 6
Level 6

‎11-03-2010 01:03 AM - edited ‎03-11-2019 12:03 PM

i have an acl which is :

access-list local_inside extended permit icmp 192.168.100.0 255.255.255.0 any log alerts interval 400

1. if it says only icmp protocol to any, does it cover icmp echo & echo-reply both?

2. does interval 400 indicate a period of 400 secs after which the next hit for the same list will be shown. existing flow using the present session till the time interval?

3. since destination is any here, will it register icmp from source to interface ip of the firewall itself, if ping be tried to those interfaces or will it only have flow through the firewall?

TIA.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to suthomas1

‎11-03-2010 08:14 PM

Hi,

ICMP traffic to the firewall is not controlled using access-lists. Instead you will have to use the "icmp" command details of which can be found below:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1685750

For example, if you would like to allow the subnet 192.168.100.0/24 to ping the "inside" interface of the firewall, the command would be

icmp permit 192.168.100.0 255.255.255.0 inside

Hope that clears things out!!

Cheers,

Prapanch

View solution in original post

3 Replies 3

Go to solution
rmavila
Cisco Employee
Cisco Employee

‎11-03-2010 04:41 AM

Hi

1. it covers both icmp echo and reply.

2.interval specifies the log interval at which to generate system log message 106100. Valid values are from 1 to 600 seconds. The default is 300.

3. Access-list will register the the pings which flow through the firewall and not to the interface of the firewall.

Hope the above answers your question.

Regards

Rahul

Go to solution
suthomas1
Level 6
Level 6
In response to rmavila

‎11-03-2010 05:27 PM

Thanks for the answers. A small bit here, since the acl says any destination, shouldnt icmp to fw interface also count under those.

If this is not it, where would icmp from same source subnet to fw interface be accounted for.

TIA

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to suthomas1

‎11-03-2010 08:14 PM

Hi,

ICMP traffic to the firewall is not controlled using access-lists. Instead you will have to use the "icmp" command details of which can be found below:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1685750

For example, if you would like to allow the subnet 192.168.100.0/24 to ping the "inside" interface of the firewall, the command would be

icmp permit 192.168.100.0 255.255.255.0 inside

Hope that clears things out!!

Cheers,

Prapanch

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card