Allow Traceroutes Out to internet, no Pings/traces in. On Both PIX and 2610

Discussion in 'Cisco' started by Scott Townsend, Oct 7, 2004.

  1. We were getting hit with the Viruses that used PING to see if anybody
    was home so I removed all ability to Ping/Traceroute in or our of our
    network at both the Edge Router and the Firewall.

    It is now getting to be a pain to not beable to ping/traceroute to
    some hosts on the internet.

    I'd like to set it up so I can Ping or traceroute from behind the Edge
    router and the PIX from specific subnets, but not let anyone
    ping/traceroute to us.

    What is the best way to set this up on both the PIX and the 2610 (IOS
    12.3(6a))


    Thanks,
    Scott<-
    Scott Townsend, Oct 7, 2004
    #1
    1. Advertising

  2. Scott Townsend

    Ben Guest

    Too easy, just allow echo requests out and echo replies in but not visa
    versa.
    You can specify the ICMP message type in an access-list.

    "Scott Townsend" <> wrote in message
    news:...
    > We were getting hit with the Viruses that used PING to see if anybody
    > was home so I removed all ability to Ping/Traceroute in or our of our
    > network at both the Edge Router and the Firewall.
    >
    > It is now getting to be a pain to not beable to ping/traceroute to
    > some hosts on the internet.
    >
    > I'd like to set it up so I can Ping or traceroute from behind the Edge
    > router and the PIX from specific subnets, but not let anyone
    > ping/traceroute to us.
    >
    > What is the best way to set this up on both the PIX and the 2610 (IOS
    > 12.3(6a))
    >
    >
    > Thanks,
    > Scott<-
    Ben, Oct 8, 2004
    #2
    1. Advertising

  3. Scott Townsend

    Rod Dorman Guest

    In article <>,
    Scott Townsend <> wrote:
    > ...
    >I'd like to set it up so I can Ping or traceroute from behind the Edge
    >router and the PIX from specific subnets, but not let anyone
    >ping/traceroute to us.


    Keep in mind that if everyone adopted this philosophy it would
    effectively remove ping and traceroute as usefull diagnostic tools.

    --
    -- Rod --
    rodd(at)polylogics(dot)com
    Rod Dorman, Oct 8, 2004
    #3
  4. (Rod Dorman) writes:

    >
    > In article <>,
    > Scott Townsend <> wrote:
    > > ...
    > >I'd like to set it up so I can Ping or traceroute from behind the Edge
    > >router and the PIX from specific subnets, but not let anyone
    > >ping/traceroute to us.

    >
    > Keep in mind that if everyone adopted this philosophy it would
    > effectively remove ping and traceroute as usefull diagnostic tools.


    Also, ruthless blocking of ICMP messages breaks PMTUD, which is
    a Bad Thing.

    -jav
    Javier Henderson, Oct 8, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian Bergin

    allow pings in ACL list

    Brian Bergin, Nov 24, 2003, in forum: Cisco
    Replies:
    3
    Views:
    9,905
    Walter Roberson
    Nov 25, 2003
  2. Replies:
    2
    Views:
    695
    Rohan
    Nov 18, 2006
  3. Replies:
    3
    Views:
    5,641
    Walter Roberson
    Jan 5, 2007
  4. Replies:
    0
    Views:
    414
  5. Mike Rahl
    Replies:
    1
    Views:
    970
    Doug McIntyre
    Jun 14, 2007
Loading...

Share This Page