Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
412
Views
0
Helpful
4
Replies

ICMP OUTSIDE

estelamathew
Level 2
Level 2

ā€Ž03-01-2011 11:15 AM - edited ā€Ž03-11-2019 12:59 PM

Hello Dears,

I have permited only port 80 and 443 for our web server in DMZ. My question is after permiting port 80 and 443 everything is denied correct me if i m wrong.???

I m able to ping my public IP address of my outside interface of ASA from internet, why????

when i do icmp deny any outside  then it stops pinging but it stops pinging the directly connected interface of Internet router also that is used sometime for troubleshooting.

My concern is when i have denied everything from outside access-list  except  80 and 443 then why icmp  reply are seen to host on internet.

Labels:
0 Helpful
4 Replies 4

mirober2
Cisco Employee
Cisco Employee

ā€Ž03-01-2011 12:06 PM

Hello,

The difference is in the way the ASA processes to-the-box vs. through-the-box traffic. You are correct that the 'access-list' command includes an implicit deny at the end of it, so all traffic not explicitly permitted will be blocked. However, the access-list only applies to through-the-box traffic. Nothing that you configure in an interface ACL will affect ICMP traffic destined directly to the the ASA.

The 'icmp permit' command is how you create access rules for to-the-box traffic.

In other words, use 'access-list' to restrict traffic between 2 hosts on either side of the firewall. Use 'icmp' (or 'ssh', 'telnet', or 'http') to restrict traffic sent to the firewall itself.

Hope that helps.

-Mike

0 Helpful

estelamathew
Level 2
Level 2
In response to mirober2

ā€Ž03-01-2011 12:35 PM

Hello ,

From ur mail what i understand is

Access-list is for the traffic which passess through the firewall.

And to block icmp,telnet ssh to the firewall itself we should these commnds telnet,ssh,icmp.

so my firewall outside interface which is pinging is correct it should ping until and unless i put a command icmpdeny any outside.

Please reply.

Thanks

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to estelamathew

ā€Ž03-01-2011 12:37 PM

Hi,

Yes, you are correct.

-Mike

0 Helpful

estelamathew
Level 2
Level 2
In response to mirober2

ā€Ž03-01-2011 12:49 PM

Hello Mike,

Thanks a tons,

I wanted to confirm the above mail points before posting the below statements.

I have a ISA server with 2 NIC 1 is outside and 1 is connected to core switch

ISA is statically natted with public IP for carrying users traffic to browse the internet.

Very Very strange issue when i put icmp deny any outside command on firewall, users are not able to browse the internet  why???????

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card