The solutions in the Proctor Guide for questions 2.4 and 3.4 of Section 18 is not clear to me, could you please clarify?
The main point I'm trying to understand is why is the permit any echo-reply is needed. The question asks to block ping to the PIX/ASA interfaces and allow ICMP to the inside (Q2.4) and to block ping to its interfaces from outside and dmz, but to allow icmp ping to pass through the ASA (Q3.4). >From the Cisco.com documentation (link below) , the icmp command is for "ICMP traffic that terminates at a security appliance interface", so if the objective is to block pings to the interface, why is the permit echo-reply needed? Link: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466 If this command also blocked other ICMP traversing the PIX, then it makes sense that the permit echo-reply would be needed for the rest of the question, but as per the document, this doesn't appear to be the case. In the test lab, only blocking the echo per interface did the trick: icmp deny any echo [inside|dmz|outside] Is the permit echo-reply actually needed? Thanks,
