08-16-2007 12:48 PM - edited 03-09-2019 06:37 PM
if ip any any is configured on ACL does it require a separate ACL with icmp any any
08-16-2007 12:57 PM
Hi
No it doesn't as ip will include icmp.
HTH
Jon
08-16-2007 05:49 PM
it depends on what you're talking about - as in what kind of device. with PIX/ASA you have to explicitly allow icmp. And even more specifically, in PIX/ASA, you have to allow echo and echo-reply for pings in/out. Or in 7.x, enable icmp inspection.
08-16-2007 05:55 PM
Hi Steven
if you allow ip it will include icmp at least in pix v6.x. I haven't got an ASA device handy to test but i believe it's the same unless it has radically changed with v7.x.
To ping the actual interfaces of the pix/ASA you need to explicitly permit icmp.
Jon
08-16-2007 06:50 PM
things have changed with 7.x, pix and asa. For example, for an inside host to successfully ping an outside hose, you have to explicitly have permit icmp any any echo-reply (or something like that) to allow the reply back in. To ping from an outside host to inside, you have to 'permit icmp any any echo' on the inbound acl - and permit echo-replies for any egress acl's. you could also enable icmp inspection which will treat all icmp connections as two way - versus the default of one way (hence the extraneous acl configs).
To ping a pix/asa interface in 7.x, is enabled by default, but you can further manipulate this using the 'icmp' command.
...and don't even get me started with allowing traceroutes through the pix/asa. (:
08-16-2007 07:46 PM
Steven
Thanks for this. I really need to get more time with v7.x, especially as there is now a v8.x !, most of our stuff is still running 6.x or FWSM v2.x.
Much appreciated - posting rated
Jon
08-17-2007 04:38 AM
Rock the vote....
Thanks jon!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide