ICMP, the minimum to ping the internet but not the pix to pinged

Discussion in 'Cisco' started by Alexandre Durbuy, Jun 8, 2005.

  1. Hi guys,

    I am dealing with a PIX 515 at the moment with VPN.

    The network behind interface inside is Going to the
    internet, the hosts are nated to the external if.

    The access-list for internet traffic is

    access-list internet_out; 5 elements
    access-list internet_out line 1 permit udp any any eq domain (hitcnt=458)
    access-list internet_out line 2 permit tcp any any eq www (hitcnt=2237)
    access-list internet_out line 3 permit tcp any any eq https (hitcnt=81)
    access-list internet_out line 4 permit tcp any any eq ftp (hitcnt=0)
    access-list internet_out line 5 permit icmp any any (hitcnt=365)

    I've got also this access-list

    access-list ANY_ICMP; 1 elements
    access-list ANY_ICMP line 1 permit icmp any any (hitcnt=69)

    and the access-group is

    access-group ANY_ICMP in interface external

    It works but the firewall can be pinged from the outside Internet. I do not
    like it.

    What is the commands to type to have only the inside hosts to ping the hosts
    on the internet and the PIX to do not being pinged on its external

    Thank you very much,

    Alexandre Durbuy, Jun 8, 2005
    1. Advertisements

  2. Access-lists apply only to traffic going through the PIX.
    If you want to allow or deny ICMP traffic terminating to
    an interface, then you need the icmp command

    Jyri Korhonen, Jun 8, 2005
    1. Advertisements

  3. Alexandre Durbuy

    Gerd EMail Guest

    icmp deny any outside

    Greetings Gerd
    Gerd EMail, Jun 8, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.