PIX - Disable Ping / ICMP replies from outside interface

Discussion in 'Cisco' started by David, Jul 21, 2005.

  1. David

    David Guest

    How do you disable ping replies to external clients on the outside
    interface while still allowing internal clients the ability to ping
    outbound and receive replies?
     
    David, Jul 21, 2005
    #1
    1. Advertising

  2. David

    Guest

    use "icmp " command:
    icmp deny any echo outside
     
    , Jul 21, 2005
    #2
    1. Advertising

  3. David

    Anthony Guest

    I setup a quick lab to deminstrate this, please see below

    end-user(e1/0)---(e1/0)local-as(e0/0)---(e0/0)remote-as (ISP)

    I setup an access-list to allow incoming echo-replies destined for
    the local-as subnet.

    access-list 101 permit icmp any <local-subnet> <wildcard-bits>
    echo-reply
    access-list 101 deny icmp any any
    access-list 101 permit ip any any


    See below for examples:

    #############################

    end-user#ping 121.23.134.5

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 121.23.134.5, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 40/53/92 ms
    end-user#

    #############################

    remote-as#ping 178.101.23.105

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 178.101.23.105, timeout is 2 seconds:
    ......
    Success rate is 0 percent (0/5)
    remote-as#ping 121.23.134.150

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 121.23.134.150, timeout is 2 seconds:
    ......
    Success rate is 0 percent (0/5)
    remote-as#telnet 121.23.134.150
    Trying 121.23.134.150 ... Open

    #############################

    User Access Verification

    Password:


    end-user#sh run
    Building configuration...

    Current configuration : 728 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname end-user
    !
    boot-start-marker
    boot-end-marker
    !
    !
    clock timezone PST 0
    no aaa new-model
    ip subnet-zero
    no ip routing
    !
    !
    !
    !
    !
    interface Ethernet0/0
    no ip address
    no ip route-cache
    shutdown
    !
    interface Ethernet1/0
    ip address 178.101.23.105 255.255.255.0
    no ip route-cache
    !
    interface Serial2/0
    no ip address
    no ip route-cache
    shutdown
    serial restart-delay 0
    !
    interface Serial3/0
    no ip address
    no ip route-cache
    shutdown
    serial restart-delay 0
    !
    !
    ip default-gateway 178.101.23.1
    ip classless
    no ip http server
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    end

    end-user#

    #############################

    local-as#sh run
    Building configuration...

    Current configuration : 883 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname local-as
    !
    boot-start-marker
    boot-end-marker
    !
    enable password cisco
    !
    clock timezone PST 0
    no aaa new-model
    ip subnet-zero
    !
    !
    !
    !
    !
    interface Ethernet0/0
    ip address 121.23.134.150 255.255.255.0
    ip access-group 101 in
    no ip unreachables
    !
    interface Ethernet1/0
    ip address 178.101.23.1 255.255.255.0
    !
    interface Serial2/0
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial3/0
    no ip address
    shutdown
    serial restart-delay 0
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 121.23.134.5
    no ip http server
    !
    !
    !
    access-list 101 permit icmp any 178.101.23.0 0.0.0.255 echo-reply
    access-list 101 deny icmp any any
    access-list 101 permit ip any any
    !
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password cisco
    login
    !
    end

    local-as#

    #############################

    remote-as#sh run
    Building configuration...

    Current configuration : 690 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname remote-as
    !
    boot-start-marker
    boot-end-marker
    !
    enable password cisco
    !
    clock timezone PST 0
    no aaa new-model
    ip subnet-zero
    !
    !
    !
    !
    !
    interface Ethernet0/0
    ip address 121.23.134.5 255.255.255.0
    !
    interface Ethernet1/0
    no ip address
    shutdown
    !
    interface Serial2/0
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial3/0
    no ip address
    shutdown
    serial restart-delay 0
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 121.23.134.150
    no ip http server
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password cisco
    login
    !
    end

    remote-as#

    Hope this helps
    Anthony
     
    Anthony, Jul 21, 2005
    #3
  4. David

    Anthony Guest

    My apologies I didn't see this post was for a PIX :)
     
    Anthony, Jul 21, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Jenssen

    Basic question: Pix & ICMP echo replies

    Jesper Jenssen, Nov 21, 2003, in forum: Cisco
    Replies:
    3
    Views:
    7,105
    Walter Roberson
    Nov 21, 2003
  2. jonnah
    Replies:
    1
    Views:
    1,266
    mcaissie
    Apr 21, 2004
  3. Scott Townsend
    Replies:
    2
    Views:
    10,161
    Scott Townsend
    May 4, 2006
  4. Jack
    Replies:
    0
    Views:
    705
  5. janet
    Replies:
    11
    Views:
    1,795
    Beauregard T. Shagnasty
    Dec 17, 2007
Loading...

Share This Page