Got it. The permit any echo-reply is to cater for you pinging from the
PIX/ASA itself.

Thanks,

On Jan 26, 2008 6:16 PM, Tomi Spiegel <[EMAIL PROTECTED]> wrote:

> The solutions in the Proctor Guide for questions 2.4 and 3.4 of Section 18
> is not clear to me, could you please clarify?
>
> The main point I'm trying to understand is why is the permit any
> echo-reply is needed. The question asks to block ping to the PIX/ASA
> interfaces and allow ICMP to the inside (Q2.4) and to block ping to its
> interfaces from outside and dmz, but to allow icmp ping to pass through the
> ASA (Q3.4).
>
> From the Cisco.com documentation (link below) , the icmp command is for "ICMP
> traffic that terminates at a security appliance interface", so if the
> objective is to block pings to the interface, why is the permit echo-reply
> needed?
>
> Link:
> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466
>
> If this command also blocked other ICMP traversing the PIX, then it makes
> sense that the permit echo-reply would be needed for the rest of the
> question, but as per the document, this doesn't appear to be the case.
>
> In the test lab, only blocking the echo per interface did the trick: icmp
> deny any echo [inside|dmz|outside]
>
> Is the permit echo-reply actually needed?
>
> Thanks,
>

Reply via email to