Cisco ASA ICMP inspection

ICMP Inspection

By default, ASA not inspect the ICMP packets. These are small packets and initiates for a short time. But we can enable it using below commands. if it is required.

Conf t

policy-map global_policy

 class inspection_default

 inspect ICMP

Allowing ICMP/PING (Outside to inside)

By default, ASA don’t allow the traffic from outside to inside (low security level to high security level. If we want to allow specific traffic from outside to inside then it can also be possible but we need to create an ACL for it.

In our case , We are allowing ping from outside to inside. So network team can check the reachability from router 2 to router 1.

ciscoasa(config)# access-list PING extended permit icmp any host

ciscoasa(config)# access-group PING in interface outside

NOTE: when we are removing the ACL and user is accessing the application which was allowed in ACL. Then access will be continue for that user till the session is not expiring or terminating or till we are not removing the entry from connection table.

Leave a Reply

Your email address will not be published.