cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2790
Views
0
Helpful
12
Replies

Quick Question re: ASA and ICMP command

Private Private
Level 1
Level 1

All of the documentation I have found says that to allow a particular remote host (a.b.c.d) to ping the outside interface of an ASA, the ICMP command to implement is:

icmp permit host a.b.c.d echo-reply outside

Why is the icmp type/keyword in the command 'echo-reply' and not 'echo', if the goal here is to allow a.b.c.d to ping (icmp echo request, type 8, code 0) the outside interface? The example in the ASA 8.2 command reference provides the same style example in that it says:

"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16  to ping the outside interface:

icmp permit host 172.16.2.15 echo-reply outside

icmp permit 172.22.1.0 255.255.0.0 echo-reply outside

icmp permit any unreachable outside"

Why isnt it the case that in the above example, what is actually being allowed (permitted) are ICMP echo-replies (icmp type 0, code 0) (and not ping requests) FROM the listed addresses to the outside interface?

2 Accepted Solutions

Accepted Solutions

Good Point!!!

I might not be able to answer it, but I tested it and it only works with echo, I might need to get in touch with our documentation team on it, since they can only verify it. But it should be echo. Maybe I am also doing something wrong but we can verify it ourselves, if you scroll to the bottom, you can provide us the feedback about the doc and this way it would be routed to the correct team, lets wait for their answer

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

Sure, let us know, when you get the reply, take care

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Private,

I would do it with an access-list instead of using the ICMP configuration..

Have you test it with just the echo?

I would say you need both of them,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

My question is part of a review I am doing, (I dont have access to the device).  My understanding though has always been that one uses ACLS (and ICMP in them) as a means for controlling pinging 'through' the ASA and that one should use the specific ICMP commands for controlling ICMP to the firewall interfaces.

Hello Private,

With the ACL you are going to be fine, that is all you need ( on the ACL will be only echo)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

varrao
Level 10
Level 10

Hi,

It should be just echo, even that would allow the ping.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Varun - Thank you for your reply. Does that mean that the example given in the documentation is incorrect? That is, the example given:

"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16  to ping the outside interface:

icmp permit host 172.16.2.15 echo-reply outside

icmp permit 172.22.1.0 255.255.0.0 echo-reply outside

icmp permit any unreachable outside"

Does not actually permit the given hosts to ping the outside interface, but rather, it only allows the ASA to receive ICMP echo reply messages from the hosts listed?

Good Point!!!

I might not be able to answer it, but I tested it and it only works with echo, I might need to get in touch with our documentation team on it, since they can only verify it. But it should be echo. Maybe I am also doing something wrong but we can verify it ourselves, if you scroll to the bottom, you can provide us the feedback about the doc and this way it would be routed to the correct team, lets wait for their answer

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Not sure where to provide the feedback. I dont see anything on the bottom of this thread's page that says 'feedback'. Do I mark your answer as 'Correct' and then get an option to provide feedback?

btw - thank you Julio for your replies as well.

Nope I was talking about the command reference doc:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i1.html#wp1717728

You will see the feedback option at the bottom.

You can also mark this thread as answered if it helped you.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Thanks. I will go there. Just as an fyi, although I have seen this exact example used in many versions of the documentation, the exact documentation I am looking at is the version 8.2 command reference.

  • Yup, I was checking the other latest versions as well whether its the same, and it is, so you cna provide your feedback on any one of them, since it commands have not changed.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Thanks.  Feedback submitted

Sure, let us know, when you get the reply, take care

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card