Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
1
Replies

ASA/PIX icmp to broadcast denied on interface despite icmp permit

Jean-Christophe Sicard
Level 1
Level 1

‎08-07-2006 11:01 AM - edited ‎02-21-2020 01:05 AM

Hi all,

We have an ASA (7.0) that denies icmp type 9 packets (router advertisements) sent to the the 255.255.255.255 broadcast address on the inside interface eventhough we have a icmp permit entry corresponding to the source of the icmp broadcast. Is this behaviour by design but not documented? I'm aware of the exceptions documented* at http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fba52.html

but these are not echo requests, but router-advertisements...

Thanks

JC

*("The icmp command controls ICMP traffic that terminates on any security appliance interface. If no ICMP control list is configured, then the security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the security appliance does not respond to ICMP echo requests directed to a broadcast address.")

0 Helpful
1 Reply 1

ctimmons
Level 1
Level 1

‎08-11-2006 07:28 AM

I found a situation yesterday on an FWSM running

3.1.3 whereby I could modify an outbound access list in the base case to be something like this:

access-list test permit icmp host 192.168.0.1 any

access-list test deny ip any any

... and it would keep denying the icmp packets until I either rebooted or clear-config'd the access list. Running with auto-commit enabled, icmp inspection off, I was able to add and remove similar rules (eg., allow TCP) and have them take effect instantaneously.

This using the latest asdm.

So it seems like there is something going on with addition of icmp rules that does not happen with other kinds of rules in this situation.

-c

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card