Block ping to outside interface of ASA from internet

Answered Question
May 26th, 2008
User Badges:

We recently had a security audit of our network carried out.


One of the minor points raised was that ping responses were received from our firewall's public IP address (i.e. the outside interface) and this may allow an attacker to enumerate our network.


We've therefore been asked to turn off ping responses from our outside interface.


However, I can't find a way to prevent our outside interface responding to ping requests sent from the internet? (I can successfully block ICMP requests going THROUGH the firewall)


I have an access-list applied to the outside interface with "deny icmp any any" but the outside interface still responds to pings.


How can this be achieved?




Correct Answer by suschoud about 9 years 1 month ago

if you want asa not to respond to any icmp echo request coming from internet,use :



ASA5510-Single(config)# icmp deny any echo-reply outside


By this way,asa would still be able to ping any ip address on internet.


If you use :



ASA5510-Single(config)# icmp deny any outside



asa would not be able to ping on internet.



HTH,

Sushil

Cisco TAC

Correct Answer by m.sir about 9 years 1 month ago

You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)


icmp deny any outside


Check this for more info

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

M.

hope that helps rate if it doest

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
suschoud Mon, 05/26/2008 - 10:56
User Badges:
  • Gold, 750 points or more

if you want asa not to respond to any icmp echo request coming from internet,use :



ASA5510-Single(config)# icmp deny any echo-reply outside


By this way,asa would still be able to ping any ip address on internet.


If you use :



ASA5510-Single(config)# icmp deny any outside



asa would not be able to ping on internet.



HTH,

Sushil

Cisco TAC

Actions

This Discussion