I am trying to figure it out for an hour or two now and can't.
In any documentation I found, it states that Cisco PIX does not replay to ping on outside interface and to enable it, a ACL must be created and attached to outside interface.
Problem is that, I don;t have any ACL and can ping from router - outside interface of PIX. When I am adding ACL deny icmp any any and deny ip any any it still works and ACL counters do not increase.
Config is default, I tried that on PIX 501 and 506E. What can allow ping on outside interface.
ip address outside 10.1.3.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 10 deny icmp any any log
access-group 10 in interface outside
Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.
The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:
This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.
Btw, icmp is permitted to the outside interface by default