ASA's outsode interface can be "pinged" should it be?

Unanswered Question
Feb 21st, 2008

Hi, from the Internet I can ping our ASA's outside interface, should this be liek if not how can I stop it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abinjola Thu, 02/21/2008 - 07:40

yes by default its allowed

Add this to block :-

ASA5510-Single(config)# icmp deny any echo outside

whiteford Thu, 02/21/2008 - 08:48

Does it matter if it's "pingable" or should it locked down?

I only use the ASDM and added the rule at the top of the list as a deny and I could still ping outside interface?

abinjola Thu, 02/21/2008 - 08:59

well sometimes you might need to allow pings to outside Interface for troubleshooting there is not harm to allow excho request to outside Interface, moreover if your ICMP has configured rate limiting on ICMPs then you don't need to worry about the flood hitting ASA

In ASDM you might have added rule in ACL to deny this but this isn't a transitting traffic so ACL does not work for this


This Discussion