Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5120
Views
5
Helpful
20
Replies

I need to block icmp on the outside interface of my firewall

Go to solution
ttrevino1
Level 1
Level 1

‎10-11-2007 05:39 AM - edited ‎03-11-2019 04:24 AM

I've added these 2 lines, but am still able to ping. What am I missing? Do I need a no nat statement also?

access-list outside deny icmp any any

access-group outside in interface outside

Labels:
0 Helpful
20 Replies 20

Go to solution
ttrevino1
Level 1
Level 1
In response to nathancielieska

‎10-11-2007 06:58 AM

Add the icmp deny any outside did the trick! Thanks for the help. I am going to need to replace some old conduit statements, so I'll leave the access-group statement in, and remove the icmp deny statement.

0 Helpful

Go to solution
ttrevino1
Level 1
Level 1
In response to ttrevino1

‎10-11-2007 07:28 AM

One last question, there are some icmp rules I need to add to/from for specific IP addresses. Would I add these in the outside ACL, since the "icmp deny any outside" is only blocking icmp to the outside interface?

0 Helpful

Go to solution
nathancielieska
Level 1
Level 1
In response to ttrevino1

‎10-11-2007 07:54 AM

yes, again.. traffic through the the firewall (to/from) ip addresses needs to be in the acl.. traffic to a firewall interface with ICMP command

so,

access-list out deny icmp any host 67.33.47.47 on the outside interface would block pings to 67.33.47.47

Go to solution
ttrevino1
Level 1
Level 1
In response to nathancielieska

‎10-11-2007 08:13 AM

Thanks for the clarification, that helps!

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to ttrevino1

‎10-11-2007 07:55 AM

Yes you need to add those entries (ACE) to the outside ACL to deny/permit traffic that has pass through the outside interface. 'icmp' command applies only to the ICMP traffic that's destined to the PIX interface itself.

HTH

Sundar

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to sundar.palaniappan

‎10-12-2007 06:06 AM

I would like to know in what scenarios would one want to have oustide interface wide opened for icmps, it seems pix500s or ASAs default config outside interface are to be pingable from any as default, I could think is as such because of directly connected routers to oustide interface runnint routing protocols requiering icmp to discover neighbors, or initial installation of firewall whereby one would want to have outside interface wide opened for icmp for troubleshooting, but would like to hear some comments.

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card