Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

I need to block icmp on the outside interface of my firewall

I've added these 2 lines, but am still able to ping. What am I missing? Do I need a no nat statement also?

access-list outside deny icmp any any

access-group outside in interface outside

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: I need to block icmp on the outside interface of my firewall

Hi

try adding this to your config

icmp deny any outside

HTH

Jon

20 REPLIES
New Member

Re: I need to block icmp on the outside interface of my firewall

That syntax would be correct if you are instantiating a ping from the outside of your firewall to a host (dictated by a static or NAT statement) and your security-level is set appropriately (0 for outside).

so if you had a static (inside,outside)64.133.24.72 10.33.1.33 and traffic was originating from the internet and being nat'd on your outside interface your deny statement should work.

If your trying to ping the firewall that can go a different set or rules depending on your PIX version.

New Member

Re: I need to block icmp on the outside interface of my firewall

I am trying to block all icmp traffic to the outside interface of my firewall. What commands would accomplish this? I take it just adding the deny any any isn't correct?

New Member

Re: I need to block icmp on the outside interface of my firewall

What is your version of PIX/ASA and code rev? Reason i ask is that some older versions of pix had an "icmp" command that you needed to configure to disallow communication to the pix

New Member

Re: I need to block icmp on the outside interface of my firewall

PIX 520 Version 6.3(5)

Hall of Fame Super Blue

Re: I need to block icmp on the outside interface of my firewall

Hi

try adding this to your config

icmp deny any outside

HTH

Jon

New Member

Re: I need to block icmp on the outside interface of my firewall

So would I add that into the outside acl, to replace the any any command?

access-list outside icmp deny any outside?

Hall of Fame Super Blue

Re: I need to block icmp on the outside interface of my firewall

Hi

No, this is a separate command from the access-lists you apply.

Just enter it from config mode. It will stop the outside interface of your pix from responding to ping.

Jon

New Member

Re: I need to block icmp on the outside interface of my firewall

Okay, I'll give that a shot. So to clarify then, I just add that in config mode, then do I need the ACL or the access-group?

Hall of Fame Super Blue

Re: I need to block icmp on the outside interface of my firewall

Yes in config mode.

As pervious poster has said that command control pings to the firewall interfaces. If you want to control pings through the firewall you need to use acl's.

Jon

New Member

Re: I need to block icmp on the outside interface of my firewall

Jon, I have an additional question for you. Do you know how to block icmp at the outside interface of a border router, but allow icmp traffic to pass through it at the same time?

Hall of Fame Super Blue

Re: I need to block icmp on the outside interface of my firewall

Hi

Not entirely sure i fully understand what you mean. You can block certain types of icmp and still allow other types of icmp with a router acl eg.

access-list 101 deny icmp any any echo

access-list 101 permit ip any any

This access-list applied inbound on the outside interface of your border router would block echo requests and then allow all other traffic including all other icmp types.

Does this answer your question ?

Jon

New Member

Re: I need to block icmp on the outside interface of my firewall

That makes sense. I wanted to allow some icmp to pass through the router, but block icmp to the actual outside interfaces IP. I was able to take care of this today.

Thanks for all the help.

New Member

Re: I need to block icmp on the outside interface of my firewall

I think 6.3(5) is a little to high for the icmp command.

The access-list outside command is for traffic traversing the PIX not the PIX interfaces themselves. Thats where the ICMP command mentioned earlier comes in. 2 Seperate commands in 2 different parts of the config.

Worth a shot, otherwise your command sequence should work.

New Member

Re: I need to block icmp on the outside interface of my firewall

Apologies,

access-list for the actual definition of traffic

access-group to apply to interface

icmp to block pings to firewall interfaces.

New Member

Re: I need to block icmp on the outside interface of my firewall

Add the icmp deny any outside did the trick! Thanks for the help. I am going to need to replace some old conduit statements, so I'll leave the access-group statement in, and remove the icmp deny statement.

New Member

Re: I need to block icmp on the outside interface of my firewall

One last question, there are some icmp rules I need to add to/from for specific IP addresses. Would I add these in the outside ACL, since the "icmp deny any outside" is only blocking icmp to the outside interface?

New Member

Re: I need to block icmp on the outside interface of my firewall

yes, again.. traffic through the the firewall (to/from) ip addresses needs to be in the acl.. traffic to a firewall interface with ICMP command

so,

access-list out deny icmp any host 67.33.47.47 on the outside interface would block pings to 67.33.47.47

New Member

Re: I need to block icmp on the outside interface of my firewall

Thanks for the clarification, that helps!

Re: I need to block icmp on the outside interface of my firewall

Yes you need to add those entries (ACE) to the outside ACL to deny/permit traffic that has pass through the outside interface. 'icmp' command applies only to the ICMP traffic that's destined to the PIX interface itself.

HTH

Sundar

Re: I need to block icmp on the outside interface of my firewall

I would like to know in what scenarios would one want to have oustide interface wide opened for icmps, it seems pix500s or ASAs default config outside interface are to be pingable from any as default, I could think is as such because of directly connected routers to oustide interface runnint routing protocols requiering icmp to discover neighbors, or initial installation of firewall whereby one would want to have outside interface wide opened for icmp for troubleshooting, but would like to hear some comments.

228
Views
5
Helpful
20
Replies
CreatePlease login to create content