Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7923
Views
0
Helpful
1
Replies

Why does ASA block icmp by default and not other traffic?

Go to solution
reachabdulla
Level 1
Level 1

‎01-23-2010 12:10 PM - edited ‎03-11-2019 10:00 AM

Hi,

Imagine an ASA with a web server on the "outside" and a PC on the "inside". By default, when we ping from "inside" PC to "outside" Server, the traffic is blocked. We need to apply ACL on the outside to permit the icmp.

On the contrary, if we try to access a web page of "outside" Server from "inside" PC, its permitted by default.

I am not able to understand why?

Thanks in advance.

Regards,

Mohammed Abdulla.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-23-2010 01:37 PM 

reachabdulla wrote:
Hi,
Imagine an ASA with a web server on the "outside" and a PC on the "inside". By default, when we ping from "inside" PC to "outside" Server, the traffic is blocked. We need to apply ACL on the outside to permit the icmp.
On the contrary, if we try to access a web page of "outside" Server from "inside" PC, its permitted by default.
I am not able to understand why?
Thanks in advance.
Regards,
Mohammed Abdulla.

Mohammed

Have a quick read of this thread - the bit that explains the basic function of an ASA firewall -

ASA basic function

The difference with ping is it uses ICMP and ICMP is not stateful in the way that TCP/UDP are (UDP is pseudo-stateful). Any protocol that isn't stateful needs it's traffic explicitly allowed back in unlike the http example in the above thread. That's why you have to allow ICMP back in.

However it should be noted that the ASA and pix firewalls with v7.x code  have the ability to do ICMP inspection which if you enable it means you don't need to allow it back in with an acl. Have a read of this link which covers ICMP through the ASA -

ASA ICMP

Jon

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-23-2010 01:37 PM 

reachabdulla wrote:
Hi,
Imagine an ASA with a web server on the "outside" and a PC on the "inside". By default, when we ping from "inside" PC to "outside" Server, the traffic is blocked. We need to apply ACL on the outside to permit the icmp.
On the contrary, if we try to access a web page of "outside" Server from "inside" PC, its permitted by default.
I am not able to understand why?
Thanks in advance.
Regards,
Mohammed Abdulla.

Mohammed

Have a quick read of this thread - the bit that explains the basic function of an ASA firewall -

ASA basic function

The difference with ping is it uses ICMP and ICMP is not stateful in the way that TCP/UDP are (UDP is pseudo-stateful). Any protocol that isn't stateful needs it's traffic explicitly allowed back in unlike the http example in the above thread. That's why you have to allow ICMP back in.

However it should be noted that the ASA and pix firewalls with v7.x code  have the ability to do ICMP inspection which if you enable it means you don't need to allow it back in with an acl. Have a read of this link which covers ICMP through the ASA -

ASA ICMP

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card