Ping outside

Answered Question
Feb 13th, 2008
User Badges:

Hi,

I am trying to figure it out for an hour or two now and can't.

In any documentation I found, it states that Cisco PIX does not replay to ping on outside interface and to enable it, a ACL must be created and attached to outside interface.

Problem is that, I don;t have any ACL and can ping from router - outside interface of PIX. When I am adding ACL deny icmp any any and deny ip any any it still works and ACL counters do not increase.

Config is default, I tried that on PIX 501 and 506E. What can allow ping on outside interface.


ip address outside 10.1.3.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list 10 deny icmp any any log

access-group 10 in interface outside


Thank.

Michal

Correct Answer by jojuarez about 9 years 1 month ago

Hi Michal,


Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.


The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466


This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.


Btw, icmp is permitted to the outside interface by default

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
abinjola Wed, 02/13/2008 - 15:47
User Badges:
  • Cisco Employee,

Michal..access-list is for transit traffic not for traffic destined on interface...


add this...icmp deny any outside


see if it works

Correct Answer
jojuarez Wed, 02/13/2008 - 19:42
User Badges:

Hi Michal,


Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.


The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466


This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.


Btw, icmp is permitted to the outside interface by default

Actions

This Discussion