As mentioned in Richard Deal book he has explained the topic called called trafic directed at the interface .

Could u please clear this.

Hi Prashant,

I am not sure about what is written in the book, haven't read it but what it may be indicating is the ASA interface to which the LAN machines are connected to. Can you paste the excerpts from the book, because  am sure it does not mention anything about the remote interfaces, this is not possible and cannot be done. Do let me know if you have any doubts.

Hope this helps

Thanks,

Varun

Could u please explain the below concept

Restricting ICMP Traffic Directed at the Appliance

The remainder of this section will focus on using the ICMP filtering feature. To control

ICMP messages destined to an interface on the appliance, use the icmp command:

ciscoasa(config)# icmp {permit | deny}

src_IP_address src_subnet_mask

[ICMP_message_type] logical_if_name

You must specify a source IP address and a subnet mask. Unlike with an extended ACL,

there is no destination IP address, because the security appliance, itself, is the destination.

You can qualify which ICMP messages are allowed or denied by entering a value for

the ICMP_message_type parameter. The message types can be entered as either a name

or a number. If you omit the message type, the appliance will assume that you want to allow

or deny all ICMP messages. The last parameter is the name of the interface for which

you want to restrict ICMP messages.

The appliance processes the icmp commands top-down for an interface. In other

words, when the appliance receives an ICMP packet destined to one of its interfaces, it

checks to see if any icmp commands are associated with the interface. If none is defined

for the interface, the appliance processes the ICMP message and responds with the appropriate

ICMP response. If an ICMP filter is on the interface, the appliance processes

the icmp commands based on the order in which you entered them. If the appliance goes

through the entire list and doesn’t find a match, the appliance drops the ICMP message;

this is like the implicit deny statement at the end of an ACL.

To remove a specific icmp command, preface it with the no parameter. To delete all the

icmp commands that you have configured, use the clear configure icmp command.

NOTE As with ACLs, an implicit deny is at the end of the icmp command list. Therefore, if you use

the icmp command, you should at least specify one permit statement per interface, unless you

want your appliance to be completely invisible from ICMP traffic on the specified interface.

ICMP Filtering Example

Now let’s take a look at an example on how to use the icmp command to restrict ICMP

messages directed at an appliance interface. In this example, you want to be able to test

connectivity from the appliance to other destinations on the Internet, and you want the

appliance to process only certain ICMP packets to aid in connectivity testing—all other

ICMP messages should be dropped. Here’s an example of how to accomplish this:

ciscoasa(config)# icmp permit any conversion-error outside

ciscoasa(config)# icmp permit any echo-reply outside

ciscoasa(config)# icmp permit any parameter-problem outside

ciscoasa(config)# icmp permit any source-quench outside

ciscoasa(config)# icmp permit any time-exceeded outside

ciscoasa(config)# icmp permit any unreachable outside

ciscoasa(config)# icmp deny any outside

Hi Prashant,

Whatever explanation you see in this is for this case, if the host is connected to that interface only, which means:

Users on the internet need to ping outside interface

users in the lan need to ping inside interface

nowhere it is written that you can ping outside interface from the inside network lan, it is only if you are behind that interface. Don't worry you can take our word on this for the Cisco ASA

Thanks,

Varun

Thank you varun,

My doubt is cleared now.

No issues

You can mark this thread as answered and do rate helpful posts.

Thanks,

Varun