1-6
Cisco ASA Series CLI Configuration Guide
Chapter 1 Troubleshooting Connections and Resources
Testing Your Configuration
Disabling the Test Configuration
After you complete your testing, disable the test configuration that allows ICMP to and through the ASA
and that prints debugging messages. If you leave this configuration in place, it can pose a serious security
risk. Debugging messages also slow ASA performance.
To disable the test configuration, perform the following steps:
Step 4
(Optional, for low security interfaces)
access-list ICMPACL extended permit icmp
any any
Adds an access list to allow ICMP traffic from any source host.
Step 5
access-group ICMPACL in interface outside
Assigns the access list to the outside interface. Replace “outside”
with your interface name if it is different. Repeat the command
for each interface that you want to allow ICMP traffic from high
to low.
Note After you apply this ACL to an interface that is not the
lowest security interface, only ICMP traffic is allowed;
the implicit permit from high to low is removed. For
example, to allow a DMZ interface (level 50) to ping the
inside interface (level 100), you need to apply this ACL.
However, now traffic from DMZ to outside (level 0) is
limited to ICMP traffic only, as opposed to all traffic that
the implicit permit allowed before. After testing ping, be
sure to remove this ACL from your interfaces, especially
interfaces to which you want to restore the implicit permit
(no access-list ICMPACL).
Command Purpose
Step 1
no debug icmp trace
Disables ICMP debugging messages.
Step 2
no logging on
Disables logging.
Step 3
no access-list ICMPACL
Removes the ICMPACL access list, and deletes the related access-group
commands.
Step 4
policy-map global_policy
class inspection_default
no inspect icmp
(Optional) Disables the ICMP inspection engine.
To Next Page
Loading...
Need help?
General
