cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6363
Views
5
Helpful
7
Replies

How to disable to ping outside from my public ip

ThomasMull9000
Level 1
Level 1

Dear Folks .

We have ciso asa 5505 and we are using one public ip of 155.155.155.9 , so i wanna disable to ping from outside this ip , but not effect our site to site and remote vpn connections ,

the only thing i need is to disable the public ip to ping from outside

thank you guys

1 Accepted Solution

Accepted Solutions

for that, the icmp-config would be the following:

icmp deny any echo outside

icmp permit any outside

echo requests get dropped, but all the other icmp types are still allowed.

View solution in original post

7 Replies 7

ICMP-traffic that is sent to the ASA is controlled with the command "icmp". With this command you can permit and deny certain ICMP-types per interface. The comand works in a way that is comparable to an ACL. If you have one entry in your configuration, then everything that is not explicitly allowed is denied. So make sure you don't deny needed unreachables and these things.

Here is the configuration-guide for this function:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_management.html#wp1093364

If you tried to block these traffic with your interface-ACL, you should remove the entries. Traffic to the ASA is never controlled with interface ACLs. (I just mention this because I have seen to many configs where this traffic is configured on the interface-ACLs)

Hi Thomas,

If hope you have configured the public ip on the outside interface (nameif outside e 0/0). If that is the case apply the below mentioned command. It will deny the icmp traffic to the outside.

icmp deny any outside

Please do rate if the given information helps.

By

Karthik

thank you ver much karsten.iwen and Karthikeyan Natarajan

yes i configured public ip for the outside interface (name outside 0/0) but i want all other traficit will not be effect only thing i want to disable other public ip address of the world can ping for my outside interface

thank you again

.

for that, the icmp-config would be the following:

icmp deny any echo outside

icmp permit any outside

echo requests get dropped, but all the other icmp types are still allowed.

Hi Thomas,

Yup. Karsten is correct. That will work.It will block only icmp - echo packets. (Ping) only.

Please do rate if the given info helps.

By

Karthik

This works Me

Thank a lot guys , God Bless you , i can't count how much i said to you thank you

You are always welcome friend. This community always helps and shares whatever we have!!!

by

Karthik