Solved: Is it Okay to Remove ICMP Completely?

Thomas Reiling · ‎03-24-2011

The following line was in our firewall config so I removed it completey for security reasons.

access-list from_outside permit icmp any any

Is there any reason to allow icmp into our network at all? In other words, should I allow it to certain areas of our network?

Thank you,

Thomas Reiling

PAUL GILBERT ARIAS · ‎03-24-2011

Keeping it or removing it is really up to you. I assume that ACL is applied to the outside interface. It will allow all ICMP traffic from outside to any IP you have NAT'ed on the outside. It will also allow icmp traffic initiated on the inside to be allowed back on the outside interface.

If you need icmp from inside to be replied on the outside then you could apply the inspect icmp and that will still allow your icmp traffic to be allowed back in when iniated on any internal interface.

I don't see any bad implications on removing that ACL.

View solution in original post

PAUL GILBERT ARIAS · ‎03-24-2011

Keeping it or removing it is really up to you. I assume that ACL is applied to the outside interface. It will allow all ICMP traffic from outside to any IP you have NAT'ed on the outside. It will also allow icmp traffic initiated on the inside to be allowed back on the outside interface.

If you need icmp from inside to be replied on the outside then you could apply the inspect icmp and that will still allow your icmp traffic to be allowed back in when iniated on any internal interface.

I don't see any bad implications on removing that ACL.