We recently had a security audit of our network carried out.
One of the minor points raised was that ping responses were received from our firewall's public IP address (i.e. the outside interface) and this may allow an attacker to enumerate our network.
We've therefore been asked to turn off ping responses from our outside interface.
However, I can't find a way to prevent our outside interface responding to ping requests sent from the internet? (I can successfully block ICMP requests going THROUGH the firewall)
I have an access-list applied to the outside interface with "deny icmp any any" but the outside interface still responds to pings.
How can this be achieved?
if you want asa not to respond to any icmp echo request coming from internet,use :
ASA5510-Single(config)# icmp deny any echo-reply outside
By this way,asa would still be able to ping any ip address on internet.
If you use :
ASA5510-Single(config)# icmp deny any outside
asa would not be able to ping on internet.
You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)
icmp deny any outside
Check this for more info
hope that helps rate if it doest