10-11-2007 05:39 AM - edited 03-11-2019 04:24 AM
I've added these 2 lines, but am still able to ping. What am I missing? Do I need a no nat statement also?
access-list outside deny icmp any any
access-group outside in interface outside
Solved! Go to Solution.
10-11-2007 06:58 AM
Add the icmp deny any outside did the trick! Thanks for the help. I am going to need to replace some old conduit statements, so I'll leave the access-group statement in, and remove the icmp deny statement.
10-11-2007 07:28 AM
One last question, there are some icmp rules I need to add to/from for specific IP addresses. Would I add these in the outside ACL, since the "icmp deny any outside" is only blocking icmp to the outside interface?
10-11-2007 07:54 AM
yes, again.. traffic through the the firewall (to/from) ip addresses needs to be in the acl.. traffic to a firewall interface with ICMP command
so,
access-list out deny icmp any host 67.33.47.47 on the outside interface would block pings to 67.33.47.47
10-11-2007 08:13 AM
Thanks for the clarification, that helps!
10-11-2007 07:55 AM
Yes you need to add those entries (ACE) to the outside ACL to deny/permit traffic that has pass through the outside interface. 'icmp' command applies only to the ICMP traffic that's destined to the PIX interface itself.
HTH
Sundar
10-12-2007 06:06 AM
I would like to know in what scenarios would one want to have oustide interface wide opened for icmps, it seems pix500s or ASAs default config outside interface are to be pingable from any as default, I could think is as such because of directly connected routers to oustide interface runnint routing protocols requiering icmp to discover neighbors, or initial installation of firewall whereby one would want to have outside interface wide opened for icmp for troubleshooting, but would like to hear some comments.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: