ASA's outsode interface can be "pinged" should it be?

whiteford · ‎02-21-2008

Hi, from the Internet I can ping our ASA's outside interface, should this be liek if not how can I stop it?

abinjola · ‎02-21-2008

yes by default its allowed

Add this to block :-

ASA5510-Single(config)# icmp deny any echo outside

whiteford · ‎02-21-2008

Does it matter if it's "pingable" or should it locked down?

I only use the ASDM and added the rule at the top of the list as a deny and I could still ping outside interface?

abinjola · ‎02-21-2008

well sometimes you might need to allow pings to outside Interface for troubleshooting purpose...so there is not harm to allow excho request to outside Interface, moreover if your ICMP has configured rate limiting on ICMPs then you don't need to worry about the flood hitting ASA

In ASDM you might have added rule in ACL to deny this but this isn't a transitting traffic so ACL does not work for this

whiteford · ‎02-21-2008

How do I configured rate limiting on ICMP's?

JORGE RODRIGUEZ · ‎02-21-2008

Andy , you may want to try icmp deny any outside

Jorge Rodriguez