ICMP being allowed through??

Answered Question
Nov 6th, 2008

I can't understand this one. I have a netopia router in front of an ASA. The ASA is getting an address from the provider for the time being, but I can ping that address. In my logs I see where the icmp connection is being built and torn down on the ASA, but it's from a different ip than mine. Is it possible that I'm hitting the netopia router and it's responding for the ASA?



Correct Answer by Jon Marshall about 8 years 3 months ago

Lets use a bit of inverse logic. On your ASA

asa(config)# icmp deny any outside


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 11/06/2008 - 13:19


Could you provide a bit of addressing - doesn't have to be the real addressing just use any addressing to give example. Is it

LAN -> ASA -> Netopia router

If so could you provide addressing for interfaces and also where you are pinging from.

What do you mean when you say ASA ia getting address from provider - do you mean DHCP ?


John Blakley Thu, 11/06/2008 - 13:33

It's a pppoe account that's assigned an address. The current layout is

LAN --> ASA --> Netopia --> Cloud

The ASA public is

The Netopia is supposedly in bridging mode.

From my box (outside of their network), I can ping In the logs I see:

%ASA-6-302020: Built inbound ICMP connection for faddr (my public)/37737 gaddr laddr

This makes NO sense. I don't have ACLs that are allowing the traffic through, and I was always under the assumption that the public side always dropped any traffic unless explicitly permitted.



Jon Marshall Thu, 11/06/2008 - 13:42


Sorry it's been a long day so i may be a bit slow ! You are pinging from another public IP address, nothing to do with the LAN behind the ASA.

If so an acl on the outside interface of the ASA does not control whether you can ping the outside interface but whether ICMP is allowed through.

Look in the ASA config to see if there is a line

icmp permit any outside

Again, apologies if i am still not understanding.


John Blakley Thu, 11/06/2008 - 13:46

It's understandable...it has been a LONG day :-)

I'm pinging from one public to another public (outside interface on ASA). There's no icmp lines on there, and to verify I did the following:

access-list TEST deny icmp any any

access-list TEST permit ip any any

access-group TEST in interface outside

I can still ping with no hits on the acl. I believe the Netopia is answering for the request.


Jon Marshall Thu, 11/06/2008 - 13:59

Okay i need some sleep :-)

I'm pinging from one public to another public (outside interface of ASA) - yes but where from a topology point of view is the other public IP ie. the public IP that is not the outside interface of the ASA ?


John Blakley Thu, 11/06/2008 - 14:05

It's in another state :o)

It connects to us through easyvpn. I thought that was the problem, so I remoted into one of my laptops at my house, and I could ping it from there too. The ASA is just another device out on the internet. Does that help? It really makes no sense, and it's frustrating me. :-) I don't get frustrated easily.... LOL


Correct Answer
Jon Marshall Thu, 11/06/2008 - 14:05

Lets use a bit of inverse logic. On your ASA

asa(config)# icmp deny any outside


John Blakley Thu, 11/06/2008 - 14:08

LOL! That worked :-) Now, why won't my acl block it?? It wasn't even touching my acl.

Jon Marshall Thu, 11/06/2008 - 14:11


Think we have both had it today.

Your acl has no effect on ICMP traffic going to an interface on the ASA. An acl only effects ICMP traffic (and all other traffic) going through the ASA from one side to another.

Default must be to allow icmp but to all interfaces but it didn't used to be.



This Discussion