Solved: Re: I need to block icmp on the outside interface of my firewall

ttrevino1 · ‎10-11-2007

I've added these 2 lines, but am still able to ping. What am I missing? Do I need a no nat statement also?

access-list outside deny icmp any any

access-group outside in interface outside

Jon Marshall · ‎10-11-2007

Hi

try adding this to your config

icmp deny any outside

HTH

Jon

View solution in original post

nathancielieska · ‎10-11-2007

That syntax would be correct if you are instantiating a ping from the outside of your firewall to a host (dictated by a static or NAT statement) and your security-level is set appropriately (0 for outside).

so if you had a static (inside,outside)64.133.24.72 10.33.1.33 and traffic was originating from the internet and being nat'd on your outside interface your deny statement should work.

If your trying to ping the firewall that can go a different set or rules depending on your PIX version.

ttrevino1 · ‎10-11-2007

I am trying to block all icmp traffic to the outside interface of my firewall. What commands would accomplish this? I take it just adding the deny any any isn't correct?

nathancielieska · ‎10-11-2007

What is your version of PIX/ASA and code rev? Reason i ask is that some older versions of pix had an "icmp" command that you needed to configure to disallow communication to the pix

ttrevino1 · ‎10-11-2007

PIX 520 Version 6.3(5)

Jon Marshall · ‎10-11-2007

Hi

try adding this to your config

icmp deny any outside

HTH

Jon

ttrevino1 · ‎10-11-2007

So would I add that into the outside acl, to replace the any any command?

access-list outside icmp deny any outside?

Jon Marshall · ‎10-11-2007

Hi

No, this is a separate command from the access-lists you apply.

Just enter it from config mode. It will stop the outside interface of your pix from responding to ping.

Jon

ttrevino1 · ‎10-11-2007

Okay, I'll give that a shot. So to clarify then, I just add that in config mode, then do I need the ACL or the access-group?

Jon Marshall · ‎10-11-2007

Yes in config mode.

As pervious poster has said that command control pings to the firewall interfaces. If you want to control pings through the firewall you need to use acl's.

Jon

ttrevino1 · ‎10-12-2007

Jon, I have an additional question for you. Do you know how to block icmp at the outside interface of a border router, but allow icmp traffic to pass through it at the same time?

Jon Marshall · ‎10-12-2007

Hi

Not entirely sure i fully understand what you mean. You can block certain types of icmp and still allow other types of icmp with a router acl eg.

access-list 101 deny icmp any any echo

access-list 101 permit ip any any

This access-list applied inbound on the outside interface of your border router would block echo requests and then allow all other traffic including all other icmp types.

Does this answer your question ?

Jon

ttrevino1 · ‎10-12-2007

That makes sense. I wanted to allow some icmp to pass through the router, but block icmp to the actual outside interfaces IP. I was able to take care of this today.

Thanks for all the help.

nathancielieska · ‎10-11-2007

I think 6.3(5) is a little to high for the icmp command.

The access-list outside command is for traffic traversing the PIX not the PIX interfaces themselves. Thats where the ICMP command mentioned earlier comes in. 2 Seperate commands in 2 different parts of the config.

Worth a shot, otherwise your command sequence should work.

nathancielieska · ‎10-11-2007

Apologies,

access-list for the actual definition of traffic

access-group to apply to interface

icmp to block pings to firewall interfaces.