Restrict ping response from internet

sv7 · ‎07-21-2022

Hi all,

Need to restrict ping to my outside interface of ASA device from internet. I have tried below command but that makes my complete internet went down

icmp deny any echo-reply outside

W-ALI · ‎07-21-2022

Does the F.W connected direct to internet or there's router

you can create below ACL on the router

deny icmp any {your-public-IPs} {subnet} echo
permit ip any any

sv7 · ‎07-26-2022

yes its directly connected to internet. regarding command you suggested i think i have also applied the same. Correct me if im wrong

MHM Cisco World · ‎07-21-2022

there is control-plane ACL in ASA, you can add this deny icmp to it and it will deny any ICMP target your outside of ASA.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-rules.html

Marvin Rhoads · ‎07-21-2022

Don't use an ACL. Instead use the command:

no icmp permit any outside

(assuming the name of the outside interface is "outside").

An ACL generally affects traffic THROUGH the box and not TO the box and, as you discovered, will add an implicit "deny any any" once applied to an interface.

While you can use the control-plane ACL option as @MHM Cisco World suggested it's not necessary for this singular purpose since ASAs have this built-in command already.

MHM Cisco World · ‎07-26-2022

icmp deny any echo outside

this must be work but,
some routing using IP SLA for track the static route or use IP SLA for routing protocol redundancy,
instead of above command
do
icmp permit <ISP next hop of ASA> echo outside
try this way