Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to deny outside incoming ICMP to ASA 5520

I thought any incoming traffic from the outside interface of an ASA 5520 is denied by default. From home, I can ping the public IP.  Any explanation?

Our 5520 is connected via DSL router to the cloud. The DSL is allowing ICMP. I created an access rule to deny any ICMP from the DSL router. No avail, I can still ping reply from the ASA.

Any help/suggestion is appreciated.

Del

Everyone's tags (1)
3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: How to deny outside incoming ICMP to ASA 5520

Hi,

By default all traffic from the outside to the inside is denied by default.

But this applies to pass-thru traffic through the ASA (not to traffic to the ASA itself).

What are you PINGing from the outside?

Federico.

Cisco Employee

Re: How to deny outside incoming ICMP to ASA 5520

The ASA will respond to pings by default.

If you are pinging the ASA then use "icmp deny any " on the ASA and it will drops the pings to it.

I hope it helps.

PK

Cisco Employee

Re: How to deny outside incoming ICMP to ASA 5520

I did not suggest an ACL.

I suggested the command  "icmp deny any " on the ASA.

That will do it.

Rate helpful posts.

PK

6 REPLIES

Re: How to deny outside incoming ICMP to ASA 5520

Hi,

By default all traffic from the outside to the inside is denied by default.

But this applies to pass-thru traffic through the ASA (not to traffic to the ASA itself).

What are you PINGing from the outside?

Federico.

New Member

Re: How to deny outside incoming ICMP to ASA 5520

I am pinging from my home to the ASA.  There is a DSL router before the ASA and is allowing ping.

Cisco Employee

Re: How to deny outside incoming ICMP to ASA 5520

The ASA will respond to pings by default.

If you are pinging the ASA then use "icmp deny any " on the ASA and it will drops the pings to it.

I hope it helps.

PK

New Member

Re: How to deny outside incoming ICMP to ASA 5520

PK

I did write the ACL and I can still ping from the outside. I even tried an ACL to deny ICMP from the DSL router/modem to the ASA. ping still gets through.

Cisco Employee

Re: How to deny outside incoming ICMP to ASA 5520

I did not suggest an ACL.

I suggested the command  "icmp deny any " on the ASA.

That will do it.

Rate helpful posts.

PK

New Member

Re: How to deny outside incoming ICMP to ASA 5520

PK,

That did it!  Thanks.

4743
Views
0
Helpful
6
Replies