04-05-2012 11:41 AM - edited 03-11-2019 03:51 PM
We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
Appreciate any help.
Jeff
Solved! Go to Solution.
04-05-2012 08:38 PM
Pings to the interface are permitted by default. Pings through the asa are denied by default.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic5
hth
Chad
Sent from Cisco Technical Support iPad App
04-05-2012 12:47 PM
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
04-05-2012 12:50 PM
Roman,
I appreciate the reply but neither of those commands are configured on the ASA and there are no inspect statements allowing icmp and only the implicit deny access rule is configured on the outside interface so I'm still confused as to what is allowing the pings to the outside interface.
Jeff
04-05-2012 01:10 PM
Hi,
I did a test on my home ASA 5505 8.4(3)
It seems that if you dont have any "icmp permit/deny" lines configured (ASA default?), the ASA will respond to ICMP from anywhere on the corresponding interface.
If you lets say add one line to allow ICMP to the ASA outside interface and you're pinging from some other network thats not mentioned in the rule you just inserted, the ASA wont respond.
So it seems to be
To be honest I dont know what this is based on but it does seem to work like that after I tried the commands around.
- Jouni
04-05-2012 01:19 PM
Jouni, thanks for the reply as I was under the impression the ASA denies icmp by default unless manually allowed. Either there is something I'm missing or we have bug based on version and/or configuration we have or I'm wrong assuming pings are denied by default.
Thanks again,
Jeff
04-05-2012 08:38 PM
Pings to the interface are permitted by default. Pings through the asa are denied by default.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic5
hth
Chad
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide