Cisco ASA firewall and ICMP traffic

In this video I explain how ICMP Traffick (like pings, echo, echo-reply) is handled in the firewall.

The ICMP packets are being handled in 3 different ways depending if the traffic is to the box, from the box or thru the box.

Certain parts of the configuration needs to be taken care of depending of what you want to achieve, especially access-lists, the global icmp permit and icmp deny command as well as the fixup procol icmp modular policy framework command.

TO firewall
no acl can block
“icmp deny…” command to block
Only ping closest interface without NAT voodoo

FROM firewall
no acl can block
uses closest if as source by default
no nat is ever applied

THRU firewall
like all other transit traffic
acl and nat config applies
stateful if “fixup protocol icmp”


Please look at the video for further explanations

Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Cisco Security, Security

Leave a Reply

Your email address will not be published. Required fields are marked *



[mc4wp_form id="2457"]
Website Security Test