Allow Traceroutes Out to internet, no Pings/traces in. On Both PIX and 2610

Discussion in 'Cisco' started by Scott Townsend, Oct 7, 2004.

  1. Scott Townsend

    Scott Townsend Guest

    We were getting hit with the Viruses that used PING to see if anybody
    was home so I removed all ability to Ping/Traceroute in or our of our
    network at both the Edge Router and the Firewall.

    It is now getting to be a pain to not beable to ping/traceroute to
    some hosts on the internet.

    I'd like to set it up so I can Ping or traceroute from behind the Edge
    router and the PIX from specific subnets, but not let anyone
    ping/traceroute to us.

    What is the best way to set this up on both the PIX and the 2610 (IOS
    12.3(6a))


    Thanks,
    Scott<-
     
    Scott Townsend, Oct 7, 2004
    #1

    1. Advertisements

  2. Scott Townsend

    Ben Guest

    Too easy, just allow echo requests out and echo replies in but not visa
    versa.
    You can specify the ICMP message type in an access-list.
     
    Ben, Oct 8, 2004
    #2

    1. Advertisements

  3. Scott Townsend

    Rod Dorman Guest

    Keep in mind that if everyone adopted this philosophy it would
    effectively remove ping and traceroute as usefull diagnostic tools.
     
    Rod Dorman, Oct 8, 2004
    #3
  4. Scott Townsend

    Javier Henderson Guest

    Also, ruthless blocking of ICMP messages breaks PMTUD, which is
    a Bad Thing.

    -jav
     
    Javier Henderson, Oct 8, 2004
    #4

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Says Internet Connected but No Web or EMail Access (pings ok thoug

  2. allow pings in ACL list

  3. Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them....

  4. PIX 501 - allow icmp out but deny everything else out

  5. ACL: Does "permit IP" allow ICMP traffic like pings?

  6. 2 computers, both online, both invisible to each other ?

  7. Worth the Effort? Internet > uBR > 2610 > PIX > DMZ and Inside Network

  8. Boot ROM chip required to upgrade both a Cisco 2610 and a Cisco 2620 router to support 32 megs+ flas

Loading...