Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14107
Views
5
Helpful
4
Replies

Why can command " icmp permit any echo-reply inside" block ping ?

Go to solution
eigrpy
Level 4
Level 4

‎08-28-2015 12:47 PM - edited ‎03-11-2019 11:30 PM

Hi ASA allow to ping its interface by default. I notice that icmp permit any echo-reply inside can block ping from inside. Any one can explain the command for me ? Thank you 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Bradfield
Level 6
Level 6
In response to eigrpy

‎08-29-2015 05:06 PM

Hi,

It's all to do with where you are pinging from.with regard to the ASA,as it is a Firewall then you want to control responses.

looking at it from the ASA point of view.

icmp permit any echo inside command allows devices on the inside network to ping the ASA and the ASA will reply. But it will not allow the ASA to ping the inside devices as we are not allowing echo-replies, so when you ping an inside device from the ASA the reply is dropped.

that's why you need the icmp permit any echo-reply inside, that will allow the reply from the ping from the ASA to the inside device to be received by the ASA.

 

Perhaps a look at the outside interface would be better.On the ASAs Public interface you don't want it to respond to Pings from the Internet, but you might want to ping the internet from the ASA, so in this case you would just have the icmp permit any echo-reply outside command,

so the ASA would allow replies to its own pings to devices on the Internet. but would not allow Internet devices to ping the ASA.

HTH

Richard.

 

View solution in original post

4 Replies 4

Go to solution
Richard Bradfield
Level 6
Level 6

‎08-28-2015 10:07 PM

Hi,

The  icmp permit any echo-reply inside allows replies from the inside network to pings from the ASA

to allow pings from inside to the ASA you need icmp permit any echo inside.

 

To allow pings both ways you need both the commands.

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Richard Bradfield

‎08-29-2015 08:23 AM

Thank you so much for your reply. If we just use command icmp permit any echo inside, the inside network can ping the ASA, but if we just use command icmp permit any echo-reply inside, the inside network cannot ping the ASA. so the command icmp permit any echo inside already can control the icmp, why do we need the second command icmp permit any echo-reply inside ? 

 

" The  icmp permit any echo-reply inside allows replies from the inside network to pings from the ASA

to allow pings from inside to the ASA you need icmp permit any echo inside. "

I cannot understand it completely. Can you explain it again ? thank you

0 Helpful

Go to solution
Richard Bradfield
Level 6
Level 6
In response to eigrpy

‎08-29-2015 05:06 PM

Hi,

It's all to do with where you are pinging from.with regard to the ASA,as it is a Firewall then you want to control responses.

looking at it from the ASA point of view.

icmp permit any echo inside command allows devices on the inside network to ping the ASA and the ASA will reply. But it will not allow the ASA to ping the inside devices as we are not allowing echo-replies, so when you ping an inside device from the ASA the reply is dropped.

that's why you need the icmp permit any echo-reply inside, that will allow the reply from the ping from the ASA to the inside device to be received by the ASA.

 

Perhaps a look at the outside interface would be better.On the ASAs Public interface you don't want it to respond to Pings from the Internet, but you might want to ping the internet from the ASA, so in this case you would just have the icmp permit any echo-reply outside command,

so the ASA would allow replies to its own pings to devices on the Internet. but would not allow Internet devices to ping the ASA.

HTH

Richard.

 

Go to solution
eigrpy
Level 4
Level 4
In response to Richard Bradfield

‎08-30-2015 01:38 PM

Excellent, Thank you!

You are welcome to below post

https://supportforums.cisco.com/discussion/12594161/anyone-can-help-understand-command-icmp-permit-any-unreachable-inside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card