How to deny outside incoming ICMP to ASA 5520

Answered Question
Jun 22nd, 2010

I thought any incoming traffic from the outside interface of an ASA 5520 is denied by default. From home, I can ping the public IP.  Any explanation?

Our 5520 is connected via DSL router to the cloud. The DSL is allowing ICMP. I created an access rule to deny any ICMP from the DSL router. No avail, I can still ping reply from the ASA.

Any help/suggestion is appreciated.

Del

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 5 months ago

I did not suggest an ACL.

I suggested the command  "icmp deny any " on the ASA.

That will do it.

Rate helpful posts.

PK

Correct Answer by Panos Kampanakis about 6 years 5 months ago

The ASA will respond to pings by default.

If you are pinging the ASA then use "icmp deny any " on the ASA and it will drops the pings to it.

I hope it helps.

PK

Correct Answer by Federico Coto F... about 6 years 5 months ago

Hi,

By default all traffic from the outside to the inside is denied by default.

But this applies to pass-thru traffic through the ASA (not to traffic to the ASA itself).

What are you PINGing from the outside?

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Federico Coto F... Tue, 06/22/2010 - 14:02

Hi,

By default all traffic from the outside to the inside is denied by default.

But this applies to pass-thru traffic through the ASA (not to traffic to the ASA itself).

What are you PINGing from the outside?

Federico.

Delfino Tiongco Wed, 06/23/2010 - 10:50

I am pinging from my home to the ASA.  There is a DSL router before the ASA and is allowing ping.

Correct Answer
Panos Kampanakis Tue, 06/22/2010 - 14:51

The ASA will respond to pings by default.

If you are pinging the ASA then use "icmp deny any " on the ASA and it will drops the pings to it.

I hope it helps.

PK

Delfino Tiongco Wed, 06/23/2010 - 10:52

PK

I did write the ACL and I can still ping from the outside. I even tried an ACL to deny ICMP from the DSL router/modem to the ASA. ping still gets through.

Correct Answer
Panos Kampanakis Wed, 06/23/2010 - 11:15

I did not suggest an ACL.

I suggested the command  "icmp deny any " on the ASA.

That will do it.

Rate helpful posts.

PK

Actions

This Discussion

Related Content