Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with Application Inspection on ASA

Hi All,

I have an ASA that has an OUTSIDE interface connected to the Internet, and an INSIDE interface connected to my LAN.

I enter the following commands on the ASA:

access-list 105 extended deny icmp any any

class-map ICMP

match access-list 105

policy-map ICMP

class ICMP

service-policy ICMP interface INSIDE

I thought that if I applied these commands, then the ICMP packets are going to be dropped, but that's not the case.

Are these commands doing anything on the ASA and can I drop packets by using CLASS-MAPS and POLICY-MAPS instead of using ACCESS-LISTS?

Thank you!


Cisco Employee

Re: Help with Application Inspection on ASA

Those command are not doing anything.

You need to permit the traffic in the access-list for it to be matched in the class-map and then specify what you want done for those matched packets like inspect icmp.

The best place to deny icmp is by applying an access-list IN on the inside interface and permitting everything else.


access-list inside-acl deny icmp any any

access-list inside-acl permit ip any any

access-group inside-acl in int inside

I hope this helps.

New Member

Re: Help with Application Inspection on ASA

Great Thank you!

What if I want to permit ICMP PING packets but only of certain size?

Can I accomplish that with the CLASS-MAPS and POLICY-MAPS?

Thank you!

Cisco Employee

Re: Help with Application Inspection on ASA

Presently I do not see a way to achieve this in the ASA/PIX or FWSM platform.

You can however do this for dns inspection.