10-11-2007 05:39 AM - edited 03-11-2019 04:24 AM
I've added these 2 lines, but am still able to ping. What am I missing? Do I need a no nat statement also?
access-list outside deny icmp any any
access-group outside in interface outside
Solved! Go to Solution.
10-11-2007 06:30 AM
10-11-2007 06:09 AM
That syntax would be correct if you are instantiating a ping from the outside of your firewall to a host (dictated by a static or NAT statement) and your security-level is set appropriately (0 for outside).
so if you had a static (inside,outside)64.133.24.72 10.33.1.33 and traffic was originating from the internet and being nat'd on your outside interface your deny statement should work.
If your trying to ping the firewall that can go a different set or rules depending on your PIX version.
10-11-2007 06:13 AM
I am trying to block all icmp traffic to the outside interface of my firewall. What commands would accomplish this? I take it just adding the deny any any isn't correct?
10-11-2007 06:26 AM
What is your version of PIX/ASA and code rev? Reason i ask is that some older versions of pix had an "icmp" command that you needed to configure to disallow communication to the pix
10-11-2007 06:36 AM
PIX 520 Version 6.3(5)
10-11-2007 06:30 AM
Hi
try adding this to your config
icmp deny any outside
HTH
Jon
10-11-2007 06:38 AM
So would I add that into the outside acl, to replace the any any command?
access-list outside icmp deny any outside?
10-11-2007 06:40 AM
Hi
No, this is a separate command from the access-lists you apply.
Just enter it from config mode. It will stop the outside interface of your pix from responding to ping.
Jon
10-11-2007 06:42 AM
Okay, I'll give that a shot. So to clarify then, I just add that in config mode, then do I need the ACL or the access-group?
10-11-2007 06:46 AM
Yes in config mode.
As pervious poster has said that command control pings to the firewall interfaces. If you want to control pings through the firewall you need to use acl's.
Jon
10-12-2007 04:22 AM
Jon, I have an additional question for you. Do you know how to block icmp at the outside interface of a border router, but allow icmp traffic to pass through it at the same time?
10-12-2007 10:21 AM
Hi
Not entirely sure i fully understand what you mean. You can block certain types of icmp and still allow other types of icmp with a router acl eg.
access-list 101 deny icmp any any echo
access-list 101 permit ip any any
This access-list applied inbound on the outside interface of your border router would block echo requests and then allow all other traffic including all other icmp types.
Does this answer your question ?
Jon
10-12-2007 10:47 AM
That makes sense. I wanted to allow some icmp to pass through the router, but block icmp to the actual outside interfaces IP. I was able to take care of this today.
Thanks for all the help.
10-11-2007 06:40 AM
I think 6.3(5) is a little to high for the icmp command.
The access-list outside command is for traffic traversing the PIX not the PIX interfaces themselves. Thats where the ICMP command mentioned earlier comes in. 2 Seperate commands in 2 different parts of the config.
Worth a shot, otherwise your command sequence should work.
10-11-2007 06:44 AM
Apologies,
access-list for the actual definition of traffic
access-group to apply to interface
icmp to block pings to firewall interfaces.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: