05-26-2008 07:12 AM - edited 03-11-2019 05:49 AM
We recently had a security audit of our network carried out.
One of the minor points raised was that ping responses were received from our firewall's public IP address (i.e. the outside interface) and this may allow an attacker to enumerate our network.
We've therefore been asked to turn off ping responses from our outside interface.
However, I can't find a way to prevent our outside interface responding to ping requests sent from the internet? (I can successfully block ICMP requests going THROUGH the firewall)
I have an access-list applied to the outside interface with "deny icmp any any" but the outside interface still responds to pings.
How can this be achieved?
Solved! Go to Solution.
05-26-2008 07:44 AM
You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)
icmp deny any outside
Check this for more info
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466
M.
hope that helps rate if it doest
05-26-2008 10:56 AM
if you want asa not to respond to any icmp echo request coming from internet,use :
ASA5510-Single(config)# icmp deny any echo-reply outside
By this way,asa would still be able to ping any ip address on internet.
If you use :
ASA5510-Single(config)# icmp deny any outside
asa would not be able to ping on internet.
HTH,
Sushil
Cisco TAC
05-26-2008 07:44 AM
You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)
icmp deny any outside
Check this for more info
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466
M.
hope that helps rate if it doest
05-26-2008 10:56 AM
if you want asa not to respond to any icmp echo request coming from internet,use :
ASA5510-Single(config)# icmp deny any echo-reply outside
By this way,asa would still be able to ping any ip address on internet.
If you use :
ASA5510-Single(config)# icmp deny any outside
asa would not be able to ping on internet.
HTH,
Sushil
Cisco TAC
05-28-2008 01:33 AM
Thanks, that worked fine.
07-21-2022 06:18 AM
Hi Buddy,
I have tried the command icmp deny any echo-reply outside but after my complete internet went down. Is it any alternative way i can restrict ping from internet
10-24-2022 12:56 AM
The below command is correct.
icmp permit any echo-reply Outside
icmp permit any time-exceeded Outside
icmp permit any unreachable Outside
refer to:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide