Cisco Systems and the ASA Services Module Network Router User Manual


 
24-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 24 Troubleshooting Connections and Resources
Testing Your Configuration
Disabling the Test Configuration
After you complete your testing, disable the test configuration that allows ICMP to and through the ASA
and that prints debugging messages. If you leave this configuration in place, it can pose a serious security
risk. Debugging messages also slow ASA performance.
To disable the test configuration, perform the following steps:
Step 4
(Optional, for low security interfaces)
access-list ICMPACL extended permit icmp
any any
Adds an ACL to allow ICMP traffic from any source host.
Step 5
access-group ICMPACL in interface outside
Assigns the ACL to the outside interface. Replace “outside” with
your interface name if it is different. Repeat the command for
each interface that you want to allow ICMP traffic from high to
low.
Note After you apply this ACL to an interface that is not the
lowest security interface, only ICMP traffic is allowed;
the implicit permit from high to low is removed. For
example, to allow a DMZ interface (level 50) to ping the
inside interface (level 100), you need to apply this ACL.
However, now traffic from DMZ to outside (level 0) is
limited to ICMP traffic only, as opposed to all traffic that
the implicit permit allowed before. After testing ping, be
sure to remove this ACL from your interfaces, especially
interfaces to which you want to restore the implicit permit
(no access-list ICMPACL).
Command Purpose
Step 1
no debug icmp trace
Disables ICMP debugging messages.
Step 2
no logging on
Disables logging.
Step 3
no access-list ICMPACL
Removes the ICMPACL ACL, and deletes the related access-group commands.
Step 4
policy-map global_policy
class inspection_default
no inspect icmp
(Optional) Disables the ICMP inspection engine.