ASA/PIX/FWSM: Handling ICMP Pings and Traceroute
Introduction
Internet Control Message Protocol (ICMP) pings and traceroute on the PIX Firewall are handled differently based on the version of PIX and ASA code.
Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.
Note: ASA/PIX supports ICMP redirects from version 8.2(1) and later. ICMP redirects is not supported in ASA versions prior to 8.2(1) because these versions do not support asymmetric routing.
Note: The information in the Make the Firewall Show Up in a Traceroute in ASA/PIX section of this document applies to ASA versions 8.0(3) and later. Versions prior to 8.0(3) do not support the configuration explained in this section due to the bug CSCsk76401 (registered customers only) .
