Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Quick Question re: ASA and ICMP command

All of the documentation I have found says that to allow a particular remote host (a.b.c.d) to ping the outside interface of an ASA, the ICMP command to implement is:

icmp permit host a.b.c.d echo-reply outside

Why is the icmp type/keyword in the command 'echo-reply' and not 'echo', if the goal here is to allow a.b.c.d to ping (icmp echo request, type 8, code 0) the outside interface? The example in the ASA 8.2 command reference provides the same style example in that it says:

"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16  to ping the outside interface:

icmp permit host 172.16.2.15 echo-reply outside

icmp permit 172.22.1.0 255.255.0.0 echo-reply outside

icmp permit any unreachable outside"

Why isnt it the case that in the above example, what is actually being allowed (permitted) are ICMP echo-replies (icmp type 0, code 0) (and not ping requests) FROM the listed addresses to the outside interface?

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Red

Quick Question re: ASA and ICMP command

Good Point!!!

I might not be able to answer it, but I tested it and it only works with echo, I might need to get in touch with our documentation team on it, since they can only verify it. But it should be echo. Maybe I am also doing something wrong but we can verify it ourselves, if you scroll to the bottom, you can provide us the feedback about the doc and this way it would be routed to the correct team, lets wait for their answer

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Red

Quick Question re: ASA and ICMP command

Sure, let us know, when you get the reply, take care

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
12 REPLIES

Quick Question re: ASA and ICMP command

Hello Private,

I would do it with an access-list instead of using the ICMP configuration..

Have you test it with just the echo?

I would say you need both of them,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Quick Question re: ASA and ICMP command

My question is part of a review I am doing, (I dont have access to the device).  My understanding though has always been that one uses ACLS (and ICMP in them) as a means for controlling pinging 'through' the ASA and that one should use the specific ICMP commands for controlling ICMP to the firewall interfaces.

Quick Question re: ASA and ICMP command

Hello Private,

With the ACL you are going to be fine, that is all you need ( on the ACL will be only echo)

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Red

Quick Question re: ASA and ICMP command

Hi,

It should be just echo, even that would allow the ping.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Quick Question re: ASA and ICMP command

Varun - Thank you for your reply. Does that mean that the example given in the documentation is incorrect? That is, the example given:

"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16  to ping the outside interface:

icmp permit host 172.16.2.15 echo-reply outside

icmp permit 172.22.1.0 255.255.0.0 echo-reply outside

icmp permit any unreachable outside"

Does not actually permit the given hosts to ping the outside interface, but rather, it only allows the ASA to receive ICMP echo reply messages from the hosts listed?

Red

Quick Question re: ASA and ICMP command

Good Point!!!

I might not be able to answer it, but I tested it and it only works with echo, I might need to get in touch with our documentation team on it, since they can only verify it. But it should be echo. Maybe I am also doing something wrong but we can verify it ourselves, if you scroll to the bottom, you can provide us the feedback about the doc and this way it would be routed to the correct team, lets wait for their answer

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: Quick Question re: ASA and ICMP command

Not sure where to provide the feedback. I dont see anything on the bottom of this thread's page that says 'feedback'. Do I mark your answer as 'Correct' and then get an option to provide feedback?

btw - thank you Julio for your replies as well.

Red

Quick Question re: ASA and ICMP command

Nope I was talking about the command reference doc:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i1.html#wp1717728

You will see the feedback option at the bottom.

You can also mark this thread as answered if it helped you.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Quick Question re: ASA and ICMP command

Thanks. I will go there. Just as an fyi, although I have seen this exact example used in many versions of the documentation, the exact documentation I am looking at is the version 8.2 command reference.

Red

Quick Question re: ASA and ICMP command

  • Yup, I was checking the other latest versions as well whether its the same, and it is, so you cna provide your feedback on any one of them, since it commands have not changed.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Quick Question re: ASA and ICMP command

Thanks.  Feedback submitted

Red

Quick Question re: ASA and ICMP command

Sure, let us know, when you get the reply, take care

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
1684
Views
0
Helpful
12
Replies