Allow Traceroutes Out to internet, no Pings/traces in. On Both PIX and 2610

We were getting hit with the Viruses that used PING to see if anybody
was home so I removed all ability to Ping/Traceroute in or our of our
network at both the Edge Router and the Firewall.

It is now getting to be a pain to not beable to ping/traceroute to
some hosts on the internet.

I'd like to set it up so I can Ping or traceroute from behind the Edge
router and the PIX from specific subnets, but not let anyone
ping/traceroute to us.

What is the best way to set this up on both the PIX and the 2610 (IOS
12.3(6a))


Thanks,
Scott<-

 

Too easy, just allow echo requests out and echo replies in but not visa
versa.
You can specify the ICMP message type in an access-list.

"Scott Townsend" <> wrote in message
news:...
> We were getting hit with the Viruses that used PING to see if anybody
> was home so I removed all ability to Ping/Traceroute in or our of our
> network at both the Edge Router and the Firewall.
>
> It is now getting to be a pain to not beable to ping/traceroute to
> some hosts on the internet.
>
> I'd like to set it up so I can Ping or traceroute from behind the Edge
> router and the PIX from specific subnets, but not let anyone
> ping/traceroute to us.
>
> What is the best way to set this up on both the PIX and the 2610 (IOS
> 12.3(6a))
>
>
> Thanks,
> Scott<-

 

In article <>,
Scott Townsend <> wrote:
> ...
>I'd like to set it up so I can Ping or traceroute from behind the Edge
>router and the PIX from specific subnets, but not let anyone
>ping/traceroute to us.

Keep in mind that if everyone adopted this philosophy it would
effectively remove ping and traceroute as usefull diagnostic tools.

--
-- Rod --
rodd(at)polylogics(dot)com

 

(Rod Dorman) writes:

>
> In article <>,
> Scott Townsend <> wrote:
> > ...
> >I'd like to set it up so I can Ping or traceroute from behind the Edge
> >router and the PIX from specific subnets, but not let anyone
> >ping/traceroute to us.
>
> Keep in mind that if everyone adopted this philosophy it would
> effectively remove ping and traceroute as usefull diagnostic tools.

Also, ruthless blocking of ICMP messages breaks PMTUD, which is
a Bad Thing.

-jav