37-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring ICMP Access
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines
The ASA does not respond to ICMP echo requests directed to a broadcast address.
The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot
send ICMP traffic through an interface to a far interface.
Default Settings
By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6.
Configuring ICMP Access
To configure ICMP access rules, enter one of the following commands:
Detailed Steps
Examples
The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside
interface:
hostname(config)# icmp deny host 10.1.1.15 inside
hostname(config)# icmp permit any inside
Command Purpose
(For IPv4)
icmp {permit | deny} {host ip_address |
ip_address mask | any} [icmp_type]
interface_name
Example:
hostname(config)# icmp deny host 10.1.1.15
inside
Creates an IPv4 ICMP access rule. If you do not specify an icmp_type, all
types are identified. You can enter the number or the name. To control ping,
specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA). See the
“ICMP Types” section on pageB-15 for a list of ICMP types.
(For IPv6)
ipv6 icmp {permit | deny}
{ipv6-prefix/prefix-length | any | host
ipv6-address} [icmp-type] interface_name
Example:
hostname(config)# icmp permit host
fe80::20d:88ff:feee:6a82 outside
Creates an IPv6 ICMP access rule. If you do not specify an icmp_type, all
types are identified. You can enter the number or the name. To control ping,
specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA). See
the“ICMP Types” section on pageB-15 for a list of ICMP types.