PIX Minimum ICMP, please read my question

Hello,

I am doing the following setup for 3 Pix 515.

The inside networks get nated to the external interface of the
firewall which has an Internet IP.

I need to:

.. Make sure the inside users can ping the outside world,
.. Make sure the external IP of the firewall can not be pinged.

How to do this?

At the moment, I use an accesss-list 10 on the external interface
allowing icmp any any ..... but it is bad!

Many thanks,

Alain

 

:I am doing the following setup for 3 Pix 515.

:. Make sure the external IP of the firewall can not be pinged.

:How to do this?

:At the moment, I use an accesss-list 10 on the external interface
:allowing icmp any any ..... but it is bad!

access-lists applied to the outside interface have no effect
on traffic *to* the PIX, only on traffic *through* the PIX. To
prevent the outside IP of the PIX from being pinged, use the
PIX 'icmp' command.

Note: to allow inside users to ping outside entities, you will
probably find that you need to set your outside access list to
permit icmp any any echo-reply