Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Blocking All Incoming ICMP Traffic With Cisco ASA 5510

This is a fairly simple question and i'm sure there is a fairly simple answer but for whatever reason I can't seem to get ICMP blocked properly on my external interface of my ASA.  I obviously don't want my external interface to be pingable but no matter what i configure in the ACL I am still able to ping the outside IP from outside of our network.

external ip is

What is the easiest, best practice way to accomplish this?

Everyone's tags (6)
Cisco Employee

Re: Blocking All Incoming ICMP Traffic With Cisco ASA 5510

ACLs applied to the ASA only affect Transient traffic.  To block ICMP *to* the interface, use the 'icmp' command.

   icmp deny any


   icmp deny any outside

Community Member

Re: Blocking All Incoming ICMP Traffic With Cisco ASA 5510

fantastic!  that worked like a charm!

Now I have another question:

because of a recent ISP/IP naming scheme change we have had to NAT our internal exchange server to a public IP address in a block that was provided to us.

Because of this NATing, even though the server is behind the firewall it appears to the outside world as though it is external.  Meaning that when I run a port/ping scan on it for security from the outside the following happens:

I get a ping reply, obviously this must be stopped it is a major security hole.  So I need to know how to go about blocking ICMP requests for this nated address.

secondly a few ports show as open to the outside world


I'm sure that some of these ports need to be open, like the smtp port or the port 691 for ms exchange routing but my question is overall what would be the best practice to properly secure this server and make sure it isn't security compromised.

I'm using the GRC Shields up port scanner and when I run the scan from anything else in the company (servers/workstations) the regular external ip of the firewall shows up, and everything passes perfectly.  All ports are in stealth mode and there is no packet or icmp replies.

But when i run the scanner on the mail server with the nat rule nothing is stealthed, instead most of the ports are just blocked, with the exception of the ones mentioned above being open and the icmp reply.

Cisco Employee

Re: Blocking All Incoming ICMP Traffic With Cisco ASA 5510

You can block these packets on your access-list that is applied on your outside.

access-list line 1 deny icmp any

access-list line 1 deny tcp any eq

access-list line 1 deny tcp any eq


Let us know if it fixes the issue.


Cisco Employee

Re: Blocking All Incoming ICMP Traffic With Cisco ASA 5510

Interface ACLs are used to permit/deny transient traffic through the ASA.  Therefore, if you scanner is showing TCP ports as being open, then you must have an ACL applied to your interface that is permitting the traffic.  You can use the "Packet Tracer" tool in ASDM (or the CLI) if you need help locating which entry in the ACL is permitting the traffic.

As for security, only permit the ports which are required to provide the service you are offering up.



CreatePlease to create content