Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ASA/PIX icmp to broadcast denied on interface despite icmp permit

Hi all,

We have an ASA (7.0) that denies icmp type 9 packets (router advertisements) sent to the the broadcast address on the inside interface eventhough we have a icmp permit entry corresponding to the source of the icmp broadcast. Is this behaviour by design but not documented? I'm aware of the exceptions documented* at

but these are not echo requests, but router-advertisements...



*("The icmp command controls ICMP traffic that terminates on any security appliance interface. If no ICMP control list is configured, then the security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the security appliance does not respond to ICMP echo requests directed to a broadcast address.")

New Member

Re: ASA/PIX icmp to broadcast denied on interface despite icmp p

I found a situation yesterday on an FWSM running

3.1.3 whereby I could modify an outbound access list in the base case to be something like this:

access-list test permit icmp host any

access-list test deny ip any any

... and it would keep denying the icmp packets until I either rebooted or clear-config'd the access list. Running with auto-commit enabled, icmp inspection off, I was able to add and remove similar rules (eg., allow TCP) and have them take effect instantaneously.

This using the latest asdm.

So it seems like there is something going on with addition of icmp rules that does not happen with other kinds of rules in this situation.


CreatePlease to create content