Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


Hi Just want to know the rule of thumb about ICMP

In ASA post 8.3 all ICMP is blocked is that right.......i know that ICMP is blocked from high security level to lower security that right for sake of example my inside is 100 and outside is 0 so by default if i have to ping i would not be bale to do it????

this glocal inspection stuff default where you add icmp will that makeit work or do i have to do access-list......secondly what is teh rule from low security to high security for icmp.....if i have a VPN and my client get IP from the pool which i have specified will that be able to ping my inside interface otr host on insdie interface or do i have to add access list???


VIP Purple


For ICMP (where we only look at ping now) you have to differentiate three different scenarios:

1) Ping to the ASA
Is actually always allowed unless you restrict it. There was a release long time ago (was it in the 6-releases? I don't remember) that denied ping on the outside interface, but that was an exception.

2) Ping through the ASA without VPN
Here, Ping is a a packet like anything else. It has to be inspected to automatically allow return-traffic. This inspection is on by default for TCP and UDP but not for ICMP. The way to allow it is to enable the inspection and not to use an ACL-entry for that. The problem with the ACL-approach is that the echo-replys were also allowed if there was no initiating request. The initial packet of course needes to be allowed by ACL or by security-level.

3) Ping through a VPN
Here by default all traffic is allowed what is coming from the VPN and we have two ways to control that. The more modern way is to use VPN-filter with the problem that these can not be configured per direction. The old way (which was the only way years ago on the PIX) was that every new session that came from the VPN was compared against the ACL on the VPN-terminating interface where it had to be allowed. Also today it is possible to restore this old behaviour.

Sent from Cisco Technical Support iPad App

Don't stop after you've improved your network! Improve the world by lending money to the working poor: