Pings thru ASA/PIX 7.x

Answered Question
Apr 19th, 2008

got one more question relating to ICMP - with icmp inspection enabled , when pinging from outside host to an inside host or from inside host to outside host - is it required to explicitly permit the return icmp traffic ?

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 6 months ago

Upsolutely, with icmp inspect even if you have acl permiting icmp it will pass through ICMP inspection engine, applies also in transparent mode or multiple context 7.x., guidelines is to use icmp inspection engine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
JORGE RODRIGUEZ Sat, 04/19/2008 - 03:36

Vikram, please refer to this link to learn how inbound and outbound icmp requests works for both PIX code 6.x and ASA 7.x.

To ping a host inside your net from outside you have to permit echos, this assumes there is a static NAT for the intended inside host to be pinged.

To ping from inside to outside two ways to do it.

Quote from link!

Either build an acl

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside


policy-map global_policy

class inspection_default

inspect icmp

vikram_anumukonda Sat, 04/19/2008 - 04:01

This link specifically refers to pinging a outside host from inside.

As you have mentioned with echoes allowed on the outside interface in the inward direction and icmp inspection turned on . The echo-reply from the inside host - will it pass thru the inspection engine or the acl on the inside interface in the inward direction.

Hope you got my question & will this be any different in transparent firewall's ?


This Discussion