ICMP, the minimum to ping the internet but not the pix to pinged

Discussion in 'Cisco' started by Alexandre Durbuy, Jun 8, 2005.

  1. Hi guys,

    I am dealing with a PIX 515 at the moment with VPN.

    The network behind interface inside is 192.168.10.0/27. Going to the
    internet, the hosts are nated to the external if.

    The access-list for internet traffic is

    access-list internet_out; 5 elements
    access-list internet_out line 1 permit udp any any eq domain (hitcnt=458)
    access-list internet_out line 2 permit tcp any any eq www (hitcnt=2237)
    access-list internet_out line 3 permit tcp any any eq https (hitcnt=81)
    access-list internet_out line 4 permit tcp any any eq ftp (hitcnt=0)
    access-list internet_out line 5 permit icmp any any (hitcnt=365)

    I've got also this access-list

    access-list ANY_ICMP; 1 elements
    access-list ANY_ICMP line 1 permit icmp any any (hitcnt=69)

    and the access-group is

    access-group ANY_ICMP in interface external

    It works but the firewall can be pinged from the outside Internet. I do not
    like it.

    What is the commands to type to have only the inside hosts to ping the hosts
    on the internet and the PIX to do not being pinged on its external
    interface?

    Thank you very much,

    Alexandre
     
    Alexandre Durbuy, Jun 8, 2005
    #1
    1. Advertising

  2. "Alexandre Durbuy" <> wrote:

    > I've got also this access-list
    >
    > access-list ANY_ICMP; 1 elements
    > access-list ANY_ICMP line 1 permit icmp any any (hitcnt=69)
    >
    > and the access-group is
    >
    > access-group ANY_ICMP in interface external
    >
    > It works but the firewall can be pinged from the outside Internet.
    > I do not like it.


    Access-lists apply only to traffic going through the PIX.
    If you want to allow or deny ICMP traffic terminating to
    an interface, then you need the icmp command

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574
     
    Jyri Korhonen, Jun 8, 2005
    #2
    1. Advertising

  3. Alexandre Durbuy

    Gerd EMail Guest

    Alexandre Durbuy wrote:
    > Hi guys,
    >
    > I am dealing with a PIX 515 at the moment with VPN.
    >
    > The network behind interface inside is 192.168.10.0/27. Going to the
    > internet, the hosts are nated to the external if.
    >
    > The access-list for internet traffic is
    >
    > access-list internet_out; 5 elements
    > access-list internet_out line 1 permit udp any any eq domain (hitcnt=458)
    > access-list internet_out line 2 permit tcp any any eq www (hitcnt=2237)
    > access-list internet_out line 3 permit tcp any any eq https (hitcnt=81)
    > access-list internet_out line 4 permit tcp any any eq ftp (hitcnt=0)
    > access-list internet_out line 5 permit icmp any any (hitcnt=365)
    >
    > I've got also this access-list
    >
    > access-list ANY_ICMP; 1 elements
    > access-list ANY_ICMP line 1 permit icmp any any (hitcnt=69)
    >
    > and the access-group is
    >
    > access-group ANY_ICMP in interface external
    >
    > It works but the firewall can be pinged from the outside Internet. I do not
    > like it.
    >
    > What is the commands to type to have only the inside hosts to ping the hosts
    > on the internet and the PIX to do not being pinged on its external
    > interface?
    >
    > Thank you very much,
    >
    > Alexandre
    >
    >


    icmp deny any outside

    Greetings Gerd
     
    Gerd EMail, Jun 8, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob Guzman

    Computer cannot be pinged

    Bob Guzman, Sep 25, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    2,182
    Bob Guzman
    Sep 26, 2004
  2. =?Utf-8?B?VGltbWF5?=

    2 computer Peer to Peer - one computer not able to be pinged.

    =?Utf-8?B?VGltbWF5?=, Jul 31, 2005, in forum: Wireless Networking
    Replies:
    5
    Views:
    831
  3. fnu-10a4
    Replies:
    1
    Views:
    431
    Walter Roberson
    Nov 23, 2004
  4. Scott Townsend
    Replies:
    2
    Views:
    10,124
    Scott Townsend
    May 4, 2006
  5. spec
    Replies:
    7
    Views:
    1,306
    Peter
    Jun 5, 2006
Loading...

Share This Page