05-23-2012 09:36 AM - edited 03-11-2019 04:10 PM
All of the documentation I have found says that to allow a particular remote host (a.b.c.d) to ping the outside interface of an ASA, the ICMP command to implement is:
icmp permit host a.b.c.d echo-reply outside
Why is the icmp type/keyword in the command 'echo-reply' and not 'echo', if the goal here is to allow a.b.c.d to ping (icmp echo request, type 8, code 0) the outside interface? The example in the ASA 8.2 command reference provides the same style example in that it says:
"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
icmp permit host 172.16.2.15 echo-reply outside
icmp permit 172.22.1.0 255.255.0.0 echo-reply outside
icmp permit any unreachable outside"
Why isnt it the case that in the above example, what is actually being allowed (permitted) are ICMP echo-replies (icmp type 0, code 0) (and not ping requests) FROM the listed addresses to the outside interface?
Solved! Go to Solution.
05-23-2012 10:10 AM
Good Point!!!
I might not be able to answer it, but I tested it and it only works with echo, I might need to get in touch with our documentation team on it, since they can only verify it. But it should be echo. Maybe I am also doing something wrong but we can verify it ourselves, if you scroll to the bottom, you can provide us the feedback about the doc and this way it would be routed to the correct team, lets wait for their answer
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 10:33 AM
Sure, let us know, when you get the reply, take care
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 09:42 AM
Hello Private,
I would do it with an access-list instead of using the ICMP configuration..
Have you test it with just the echo?
I would say you need both of them,
Regards,
Julio
05-23-2012 09:50 AM
My question is part of a review I am doing, (I dont have access to the device). My understanding though has always been that one uses ACLS (and ICMP in them) as a means for controlling pinging 'through' the ASA and that one should use the specific ICMP commands for controlling ICMP to the firewall interfaces.
05-23-2012 09:59 AM
Hello Private,
With the ACL you are going to be fine, that is all you need ( on the ACL will be only echo)
Regards,
Julio
05-23-2012 09:53 AM
Hi,
It should be just echo, even that would allow the ping.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 10:00 AM
Varun - Thank you for your reply. Does that mean that the example given in the documentation is incorrect? That is, the example given:
"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
icmp permit host 172.16.2.15 echo-reply outside
icmp permit 172.22.1.0 255.255.0.0 echo-reply outside
icmp permit any unreachable outside"
Does not actually permit the given hosts to ping the outside interface, but rather, it only allows the ASA to receive ICMP echo reply messages from the hosts listed?
05-23-2012 10:10 AM
Good Point!!!
I might not be able to answer it, but I tested it and it only works with echo, I might need to get in touch with our documentation team on it, since they can only verify it. But it should be echo. Maybe I am also doing something wrong but we can verify it ourselves, if you scroll to the bottom, you can provide us the feedback about the doc and this way it would be routed to the correct team, lets wait for their answer
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 10:15 AM
Not sure where to provide the feedback. I dont see anything on the bottom of this thread's page that says 'feedback'. Do I mark your answer as 'Correct' and then get an option to provide feedback?
btw - thank you Julio for your replies as well.
05-23-2012 10:19 AM
Nope I was talking about the command reference doc:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i1.html#wp1717728
You will see the feedback option at the bottom.
You can also mark this thread as answered if it helped you.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 10:22 AM
Thanks. I will go there. Just as an fyi, although I have seen this exact example used in many versions of the documentation, the exact documentation I am looking at is the version 8.2 command reference.
05-23-2012 10:24 AM
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 10:30 AM
Thanks. Feedback submitted
05-23-2012 10:33 AM
Sure, let us know, when you get the reply, take care
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide