Help with Application Inspection on ASA

Unanswered Question
May 29th, 2009
User Badges:

Hi All,

I have an ASA that has an OUTSIDE interface connected to the Internet, and an INSIDE interface connected to my LAN.

I enter the following commands on the ASA:

access-list 105 extended deny icmp any any

class-map ICMP

match access-list 105

policy-map ICMP

class ICMP

service-policy ICMP interface INSIDE

I thought that if I applied these commands, then the ICMP packets are going to be dropped, but that's not the case.

Are these commands doing anything on the ASA and can I drop packets by using CLASS-MAPS and POLICY-MAPS instead of using ACCESS-LISTS?

Thank you!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Fri, 05/29/2009 - 17:11
User Badges:
  • Cisco Employee,

Those command are not doing anything.

You need to permit the traffic in the access-list for it to be matched in the class-map and then specify what you want done for those matched packets like inspect icmp.

The best place to deny icmp is by applying an access-list IN on the inside interface and permitting everything else.


access-list inside-acl deny icmp any any

access-list inside-acl permit ip any any

access-group inside-acl in int inside

I hope this helps.

fedecotof Sat, 05/30/2009 - 09:42
User Badges:

Great Thank you!

What if I want to permit ICMP PING packets but only of certain size?

Can I accomplish that with the CLASS-MAPS and POLICY-MAPS?

Thank you!


This Discussion