I need to block icmp on the outside interface of my firewall

Answered Question
Oct 11th, 2007

I've added these 2 lines, but am still able to ping. What am I missing? Do I need a no nat statement also?

access-list outside deny icmp any any

access-group outside in interface outside

Correct Answer by Jon Marshall about 9 years 4 months ago

Hi

try adding this to your config

icmp deny any outside

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
nathancielieska Thu, 10/11/2007 - 06:09

That syntax would be correct if you are instantiating a ping from the outside of your firewall to a host (dictated by a static or NAT statement) and your security-level is set appropriately (0 for outside).

so if you had a static (inside,outside)64.133.24.72 10.33.1.33 and traffic was originating from the internet and being nat'd on your outside interface your deny statement should work.

If your trying to ping the firewall that can go a different set or rules depending on your PIX version.

ttrevino1 Thu, 10/11/2007 - 06:13

I am trying to block all icmp traffic to the outside interface of my firewall. What commands would accomplish this? I take it just adding the deny any any isn't correct?

nathancielieska Thu, 10/11/2007 - 06:26

What is your version of PIX/ASA and code rev? Reason i ask is that some older versions of pix had an "icmp" command that you needed to configure to disallow communication to the pix

Correct Answer
Jon Marshall Thu, 10/11/2007 - 06:30

Hi

try adding this to your config

icmp deny any outside

HTH

Jon

ttrevino1 Thu, 10/11/2007 - 06:38

So would I add that into the outside acl, to replace the any any command?

access-list outside icmp deny any outside?

Jon Marshall Thu, 10/11/2007 - 06:40

Hi

No, this is a separate command from the access-lists you apply.

Just enter it from config mode. It will stop the outside interface of your pix from responding to ping.

Jon

ttrevino1 Thu, 10/11/2007 - 06:42

Okay, I'll give that a shot. So to clarify then, I just add that in config mode, then do I need the ACL or the access-group?

Jon Marshall Thu, 10/11/2007 - 06:46

Yes in config mode.

As pervious poster has said that command control pings to the firewall interfaces. If you want to control pings through the firewall you need to use acl's.

Jon

ttrevino1 Fri, 10/12/2007 - 04:22

Jon, I have an additional question for you. Do you know how to block icmp at the outside interface of a border router, but allow icmp traffic to pass through it at the same time?

Jon Marshall Fri, 10/12/2007 - 10:21

Hi

Not entirely sure i fully understand what you mean. You can block certain types of icmp and still allow other types of icmp with a router acl eg.

access-list 101 deny icmp any any echo

access-list 101 permit ip any any

This access-list applied inbound on the outside interface of your border router would block echo requests and then allow all other traffic including all other icmp types.

Does this answer your question ?

Jon

ttrevino1 Fri, 10/12/2007 - 10:47

That makes sense. I wanted to allow some icmp to pass through the router, but block icmp to the actual outside interfaces IP. I was able to take care of this today.

Thanks for all the help.

nathancielieska Thu, 10/11/2007 - 06:40

I think 6.3(5) is a little to high for the icmp command.

The access-list outside command is for traffic traversing the PIX not the PIX interfaces themselves. Thats where the ICMP command mentioned earlier comes in. 2 Seperate commands in 2 different parts of the config.

Worth a shot, otherwise your command sequence should work.

nathancielieska Thu, 10/11/2007 - 06:44

Apologies,

access-list for the actual definition of traffic

access-group to apply to interface

icmp to block pings to firewall interfaces.

ttrevino1 Thu, 10/11/2007 - 06:58

Add the icmp deny any outside did the trick! Thanks for the help. I am going to need to replace some old conduit statements, so I'll leave the access-group statement in, and remove the icmp deny statement.

ttrevino1 Thu, 10/11/2007 - 07:28

One last question, there are some icmp rules I need to add to/from for specific IP addresses. Would I add these in the outside ACL, since the "icmp deny any outside" is only blocking icmp to the outside interface?

nathancielieska Thu, 10/11/2007 - 07:54

yes, again.. traffic through the the firewall (to/from) ip addresses needs to be in the acl.. traffic to a firewall interface with ICMP command

so,

access-list out deny icmp any host 67.33.47.47 on the outside interface would block pings to 67.33.47.47

sundar.palaniappan Thu, 10/11/2007 - 07:55

Yes you need to add those entries (ACE) to the outside ACL to deny/permit traffic that has pass through the outside interface. 'icmp' command applies only to the ICMP traffic that's destined to the PIX interface itself.

HTH

Sundar

JORGE RODRIGUEZ Fri, 10/12/2007 - 06:06

I would like to know in what scenarios would one want to have oustide interface wide opened for icmps, it seems pix500s or ASAs default config outside interface are to be pingable from any as default, I could think is as such because of directly connected routers to oustide interface runnint routing protocols requiering icmp to discover neighbors, or initial installation of firewall whereby one would want to have outside interface wide opened for icmp for troubleshooting, but would like to hear some comments.

Actions

This Discussion