The solutions in the Proctor Guide for questions 2.4 and 3.4 of Section 18
is not clear to me, could you please clarify?

The main point I'm trying to understand is why is the permit any echo-reply
is needed. The question asks to block ping to the PIX/ASA interfaces and
allow ICMP to the inside (Q2.4) and to block ping to its interfaces from
outside and dmz, but to allow icmp ping to pass through the ASA (Q3.4).

>From the Cisco.com documentation (link below) , the icmp command is for "ICMP
traffic that terminates at a security appliance interface", so if the
objective is to block pings to the interface, why is the permit echo-reply
needed?

Link:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

If this command also blocked other ICMP traversing the PIX, then it makes
sense that the permit echo-reply would be needed for the rest of the
question, but as per the document, this doesn't appear to be the case.

In the test lab, only blocking the echo per interface did the trick: icmp
deny any echo [inside|dmz|outside]

Is the permit echo-reply actually needed?

Thanks,

Reply via email to