Cisco ASA firewall and ICMP traffic

In this video I explain how ICMP Traffick (like pings, echo, echo-reply) is handled in the firewall.

The ICMP packets are being handled in 3 different ways depending if the traffic is to the box, from the box or thru the box.

Certain parts of the configuration needs to be taken care of depending of what you want to achieve, especially access-lists, the global icmp permit and icmp deny command as well as the fixup procol icmp modular policy framework command.

TO firewall
no acl can block
“icmp deny…” command to block
Only ping closest interface without NAT voodoo

FROM firewall
no acl can block
uses closest if as source by default
no nat is ever applied

THRU firewall
like all other transit traffic
acl and nat config applies
stateful if “fixup protocol icmp”


Please look at the video for further explanations

Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Cisco Security, Security
One comment on “Cisco ASA firewall and ICMP traffic
  1. Matt says:

    I have been wanting to start an online business for a while and have done a lot of research about the various types of opportunities. You are absolutely right about the number of scams out there! I’ve finally come to an honest website just when I was about to give up. I realize that nothing worth having comes easy and I am prepared to work hard to develop a business I can be proud of:)

Leave a Reply

Your email address will not be published. Required fields are marked *



[mc4wp_form id="2457"]
Website Security Test