Got it. The permit any echo-reply is to cater for you pinging from the PIX/ASA itself.
Thanks, On Jan 26, 2008 6:16 PM, Tomi Spiegel <[EMAIL PROTECTED]> wrote: > The solutions in the Proctor Guide for questions 2.4 and 3.4 of Section 18 > is not clear to me, could you please clarify? > > The main point I'm trying to understand is why is the permit any > echo-reply is needed. The question asks to block ping to the PIX/ASA > interfaces and allow ICMP to the inside (Q2.4) and to block ping to its > interfaces from outside and dmz, but to allow icmp ping to pass through the > ASA (Q3.4). > > From the Cisco.com documentation (link below) , the icmp command is for "ICMP > traffic that terminates at a security appliance interface", so if the > objective is to block pings to the interface, why is the permit echo-reply > needed? > > Link: > http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466 > > If this command also blocked other ICMP traversing the PIX, then it makes > sense that the permit echo-reply would be needed for the rest of the > question, but as per the document, this doesn't appear to be the case. > > In the test lab, only blocking the echo per interface did the trick: icmp > deny any echo [inside|dmz|outside] > > Is the permit echo-reply actually needed? > > Thanks, >
