Allow Traceroutes Out to internet, no Pings/traces in. On Both PIX and 2610

10-07-2004

We were getting hit with the Viruses that used PING to see if anybody
was home so I removed all ability to Ping/Traceroute in or our of our
network at both the Edge Router and the Firewall.

It is now getting to be a pain to not beable to ping/traceroute to
some hosts on the internet.

I'd like to set it up so I can Ping or traceroute from behind the Edge
router and the PIX from specific subnets, but not let anyone
ping/traceroute to us.

What is the best way to set this up on both the PIX and the 2610 (IOS
12.3(6a))

Thanks,
Scott<-

10-08-2004

Too easy, just allow echo requests out and echo replies in but not visa
versa.
You can specify the ICMP message type in an access-list.

"Scott Townsend" <> wrote in message
news: m...
> We were getting hit with the Viruses that used PING to see if anybody
> was home so I removed all ability to Ping/Traceroute in or our of our
> network at both the Edge Router and the Firewall.
>
> It is now getting to be a pain to not beable to ping/traceroute to
> some hosts on the internet.
>
> I'd like to set it up so I can Ping or traceroute from behind the Edge
> router and the PIX from specific subnets, but not let anyone
> ping/traceroute to us.
>
> What is the best way to set this up on both the PIX and the 2610 (IOS
> 12.3(6a))
>
>
> Thanks,
> Scott<-

10-08-2004

In article <> ,
Scott Townsend <> wrote:
> ...
>I'd like to set it up so I can Ping or traceroute from behind the Edge
>router and the PIX from specific subnets, but not let anyone
>ping/traceroute to us.

Keep in mind that if everyone adopted this philosophy it would
effectively remove ping and traceroute as usefull diagnostic tools.

--
-- Rod --
rodd(at)polylogics(dot)com

10-08-2004

(Rod Dorman) writes:

>
> In article <> ,
> Scott Townsend <> wrote:
> > ...
> >I'd like to set it up so I can Ping or traceroute from behind the Edge
> >router and the PIX from specific subnets, but not let anyone
> >ping/traceroute to us.
>
> Keep in mind that if everyone adopted this philosophy it would
> effectively remove ping and traceroute as usefull diagnostic tools.

Also, ruthless blocking of ICMP messages breaks PMTUD, which is
a Bad Thing.

-jav

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Boot ROM chip required to upgrade both a Cisco 2610 and a Cisco 2620 router to support 32 megs+ flash and more than 64 megs RAM	Mike Rahl	Cisco	1	06-14-2007 05:33 PM
Worth the Effort? Internet > uBR > 2610 > PIX > DMZ and Inside Network	seaneboyee@gmail.com	Cisco	0	04-12-2007 11:45 PM
PIX 501 - allow icmp out but deny everything else out	nicough@gmail.com	Cisco	2	11-18-2006 03:44 PM
Secure Pix 506 Firewall/Cisco 2610 Router VPN?	Kevin	Cisco	2	05-03-2004 12:15 AM
connecting a Cisco 2610 to a Cisco PIX Firewall	paul	Cisco	1	11-10-2003 04:48 PM