Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ping allowed but not configured

We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.

Appreciate any help.

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Ping allowed but not configured

Pings to the interface are permitted by default. Pings through the asa are denied by default.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic5

hth

Chad

Sent from Cisco Technical Support iPad App

5 REPLIES

Ping allowed but not configured

icmp permit any outside

icmp permit any unreachable outside

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

New Member

Ping allowed but not configured

Roman,

I appreciate the reply but neither of those commands are configured on the ASA and there are no inspect statements allowing icmp and only the implicit deny access rule is configured on the outside interface so I'm still confused as to what is allowing the pings to the outside interface.

Jeff

Super Bronze

Ping allowed but not configured

Hi,

I did a test on my home ASA 5505 8.4(3)

It seems that if you dont have any "icmp permit/deny" lines configured (ASA default?), the ASA will respond to ICMP from anywhere on the corresponding interface.

If you lets say add one line to allow ICMP to the ASA outside interface and you're pinging from some other network thats not mentioned in the rule you just inserted, the ASA wont respond.

So it seems to be

  • No "icmp permit/deny" statements = all ICMP allowed
  • 1 or more ICMP statement configured to the interface = only that network/host is allowed to ping interface. Rest are blocked

To be honest I dont know what this is based on but it does seem to work like that after I tried the commands around.

- Jouni

New Member

Ping allowed but not configured

Jouni, thanks for the reply as I was under the impression the ASA denies icmp by default unless manually allowed. Either there is something I'm missing or we have bug based on version and/or configuration we have or I'm wrong assuming pings are denied by default.

Thanks again,

Jeff

Silver

Re: Ping allowed but not configured

Pings to the interface are permitted by default. Pings through the asa are denied by default.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic5

hth

Chad

Sent from Cisco Technical Support iPad App

365
Views
0
Helpful
5
Replies