We want to block any ICMP requests that are initiated to our network from the public internet. I ran icmp deny any outside, but when I do that, it takes down our internet - nobody can load web pages. Removing it by running no icmp deny any outside fixes the problem. What am I missing here?
Asked
Active
Viewed 1,418 times
-1
sa289
- 1,318
- 2
- 18
- 44
1 Answers
3
What you're missing is: First, ICMP, at least in part, is required for proper functioning of the Internet. Second, blocking pings is completely pointless; it has no security benefits whatsoever, and can cause you trouble later on when you decide you need to be able to ping your device from outside for troubleshooting or other reasons.
If you're really determined to "block pings" directed at your ASA then you can do that by specifying the ICMP type (echo-request, which Cisco for some reason simply calls echo) you want to block.
icmp deny any echo outside
Michael Hampton
- 244,070
- 43
- 506
- 972
-
Same issue when I run that command. Could someone not reflect ping responses using a spoofed IP if we don't block it? Thanks – sa289 Mar 10 '16 at 01:15
-
1Something very strange is wrong with your setup if you lost connectivity by running that. As for "reflect ping responses using a spoofed IP" it doesn't matter as the ASA [won't respond to broadcast pings by default](http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/command/reference/cmd_ref/i1_72.html#wp1631466). There's nothing you need to do. Unicast pings aren't an issue since there's no way to amplify it. – Michael Hampton Mar 10 '16 at 01:17