Cisco ASA5505 – icmp deny any outside breaks internet – how to block outside pings?

sa289 asked:

We want to block any ICMP requests that are initiated to our network from the public internet. I ran icmp deny any outside, but when I do that, it takes down our internet – nobody can load web pages. Removing it by running no icmp deny any outside fixes the problem. What am I missing here?

My answer:

What you’re missing is: First, ICMP, at least in part, is required for proper functioning of the Internet. Second, blocking pings is completely pointless; it has no security benefits whatsoever, and can cause you trouble later on when you decide you need to be able to ping your device from outside for troubleshooting or other reasons.

If you’re really determined to “block pings” directed at your ASA then you can do that by specifying the ICMP type (echo-request, which Cisco for some reason simply calls echo) you want to block.

icmp deny any echo outside

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.