Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA/PIX icmp to broadcast denied on interface despite icmp permit

Hi all,

We have an ASA (7.0) that denies icmp type 9 packets (router advertisements) sent to the the 255.255.255.255 broadcast address on the inside interface eventhough we have a icmp permit entry corresponding to the source of the icmp broadcast. Is this behaviour by design but not documented? I'm aware of the exceptions documented* at http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fba52.html

but these are not echo requests, but router-advertisements...

Thanks

JC

*("The icmp command controls ICMP traffic that terminates on any security appliance interface. If no ICMP control list is configured, then the security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the security appliance does not respond to ICMP echo requests directed to a broadcast address.")

1 REPLY
New Member

Re: ASA/PIX icmp to broadcast denied on interface despite icmp p

I found a situation yesterday on an FWSM running

3.1.3 whereby I could modify an outbound access list in the base case to be something like this:

access-list test permit icmp host 192.168.0.1 any

access-list test deny ip any any

... and it would keep denying the icmp packets until I either rebooted or clear-config'd the access list. Running with auto-commit enabled, icmp inspection off, I was able to add and remove similar rules (eg., allow TCP) and have them take effect instantaneously.

This using the latest asdm.

So it seems like there is something going on with addition of icmp rules that does not happen with other kinds of rules in this situation.

-c

225
Views
0
Helpful
1
Replies
CreatePlease to create content