thanks for the reply. my problem is that i have my logging set to errors and above. each day the same ip addresses ping my dmz network. so the logs are filled with these entries. i would like to be able to drop these packets from the sender of the icmp with hope they will get the message and stop. though all the entries in the log say denied, i still worry that something is happening. so you are saying that i need to setup rules to deny the icmp to the particular addresses on the dmz net?
You don't need to do anything, this message is telling you that the ICMP packets to your DMZ were denied by the access-list. Whoever is pinging these hosts did not get a response to them, don't worry about that.
As for these message filling up your logs, there's not a lot we can do about that. You can't selectively turn logging off for these pings specifically. You can turn this log message off with:
> no logging message 106023
but then you won't get any of those messages, I'd prefer to see them personally, at least I know the PIX is denying them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...