Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24794
Views
15
Helpful
5
Replies

Block ping to outside interface of ASA from internet

Go to solution
mitchen
Level 2
Level 2

‎05-26-2008 07:12 AM - edited ‎03-11-2019 05:49 AM

We recently had a security audit of our network carried out.

One of the minor points raised was that ping responses were received from our firewall's public IP address (i.e. the outside interface) and this may allow an attacker to enumerate our network.

We've therefore been asked to turn off ping responses from our outside interface.

However, I can't find a way to prevent our outside interface responding to ping requests sent from the internet? (I can successfully block ICMP requests going THROUGH the firewall)

I have an access-list applied to the outside interface with "deny icmp any any" but the outside interface still responds to pings.

How can this be achieved?

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
m.sir
Level 7
Level 7

‎05-26-2008 07:44 AM

You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)

icmp deny any outside

Check this for more info

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

M.

hope that helps rate if it doest

View solution in original post

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎05-26-2008 10:56 AM

if you want asa not to respond to any icmp echo request coming from internet,use :

ASA5510-Single(config)# icmp deny any echo-reply outside

By this way,asa would still be able to ping any ip address on internet.

If you use :

ASA5510-Single(config)# icmp deny any outside

asa would not be able to ping on internet.

HTH,

Sushil

Cisco TAC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
m.sir
Level 7
Level 7

‎05-26-2008 07:44 AM

You cant use ACLs for that, for allowing(denying) ICMP to interface use ICMP command in global configuration.. (ICMP is permited by default)

icmp deny any outside

Check this for more info

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

M.

hope that helps rate if it doest

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎05-26-2008 10:56 AM

if you want asa not to respond to any icmp echo request coming from internet,use :

ASA5510-Single(config)# icmp deny any echo-reply outside

By this way,asa would still be able to ping any ip address on internet.

If you use :

ASA5510-Single(config)# icmp deny any outside

asa would not be able to ping on internet.

HTH,

Sushil

Cisco TAC

0 Helpful

Go to solution
mitchen
Level 2
Level 2
In response to suschoud

‎05-28-2008 01:33 AM

Thanks, that worked fine.

0 Helpful

Go to solution
sv7
Level 3
Level 3
In response to suschoud

‎07-21-2022 06:18 AM

Hi Buddy,

I have tried the command icmp deny any echo-reply outside but after my complete internet went down. Is it any alternative way i can restrict ping from internet 

0 Helpful

Go to solution
wangxkc
Level 1
Level 1

‎10-24-2022 12:56 AM

The below command is correct.

icmp permit any echo-reply Outside
icmp permit any time-exceeded Outside
icmp permit any unreachable Outside

refer to:

https://community.cisco.com/t5/network-security/block-ping-to-outside-interface-but-allow-ping-out-from-asa/td-p/2317192

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card