Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
0
Helpful
5
Replies

Ping allowed but not configured

Go to solution
jeff6strings
Level 1
Level 1

‎04-05-2012 11:41 AM - edited ‎03-11-2019 03:51 PM

We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.

Appreciate any help.

Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cpembleton
Level 4
Level 4
In response to jeff6strings

‎04-05-2012 08:38 PM

Pings to the interface are permitted by default. Pings through the asa are denied by default.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic5

hth

Chad

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Roman Rodichev
Level 7
Level 7

‎04-05-2012 12:47 PM

icmp permit any outside

icmp permit any unreachable outside

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

0 Helpful

Go to solution
jeff6strings
Level 1
Level 1
In response to Roman Rodichev

‎04-05-2012 12:50 PM

Roman,

I appreciate the reply but neither of those commands are configured on the ASA and there are no inspect statements allowing icmp and only the implicit deny access rule is configured on the outside interface so I'm still confused as to what is allowing the pings to the outside interface.

Jeff

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jeff6strings

‎04-05-2012 01:10 PM

Hi,

I did a test on my home ASA 5505 8.4(3)

It seems that if you dont have any "icmp permit/deny" lines configured (ASA default?), the ASA will respond to ICMP from anywhere on the corresponding interface.

If you lets say add one line to allow ICMP to the ASA outside interface and you're pinging from some other network thats not mentioned in the rule you just inserted, the ASA wont respond.

So it seems to be

  • No "icmp permit/deny" statements = all ICMP allowed
  • 1 or more ICMP statement configured to the interface = only that network/host is allowed to ping interface. Rest are blocked

To be honest I dont know what this is based on but it does seem to work like that after I tried the commands around.

- Jouni

0 Helpful

Go to solution
jeff6strings
Level 1
Level 1
In response to Jouni Forss

‎04-05-2012 01:19 PM

Jouni, thanks for the reply as I was under the impression the ASA denies icmp by default unless manually allowed. Either there is something I'm missing or we have bug based on version and/or configuration we have or I'm wrong assuming pings are denied by default.

Thanks again,

Jeff

0 Helpful

Go to solution
cpembleton
Level 4
Level 4
In response to jeff6strings

‎04-05-2012 08:38 PM

Pings to the interface are permitted by default. Pings through the asa are denied by default.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic5

hth

Chad

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card