I've added these 2 lines, but am still able to ping. What am I missing? Do I need a no nat statement also?
access-list outside deny icmp any any
access-group outside in interface outside
Solved! Go to Solution.
That syntax would be correct if you are instantiating a ping from the outside of your firewall to a host (dictated by a static or NAT statement) and your security-level is set appropriately (0 for outside).
so if you had a static (inside,outside)188.8.131.52 10.33.1.33 and traffic was originating from the internet and being nat'd on your outside interface your deny statement should work.
If your trying to ping the firewall that can go a different set or rules depending on your PIX version.
I am trying to block all icmp traffic to the outside interface of my firewall. What commands would accomplish this? I take it just adding the deny any any isn't correct?
What is your version of PIX/ASA and code rev? Reason i ask is that some older versions of pix had an "icmp" command that you needed to configure to disallow communication to the pix
So would I add that into the outside acl, to replace the any any command?
access-list outside icmp deny any outside?
No, this is a separate command from the access-lists you apply.
Just enter it from config mode. It will stop the outside interface of your pix from responding to ping.
Okay, I'll give that a shot. So to clarify then, I just add that in config mode, then do I need the ACL or the access-group?
Yes in config mode.
As pervious poster has said that command control pings to the firewall interfaces. If you want to control pings through the firewall you need to use acl's.
Jon, I have an additional question for you. Do you know how to block icmp at the outside interface of a border router, but allow icmp traffic to pass through it at the same time?
Not entirely sure i fully understand what you mean. You can block certain types of icmp and still allow other types of icmp with a router acl eg.
access-list 101 deny icmp any any echo
access-list 101 permit ip any any
This access-list applied inbound on the outside interface of your border router would block echo requests and then allow all other traffic including all other icmp types.
Does this answer your question ?
That makes sense. I wanted to allow some icmp to pass through the router, but block icmp to the actual outside interfaces IP. I was able to take care of this today.
Thanks for all the help.
I think 6.3(5) is a little to high for the icmp command.
The access-list outside command is for traffic traversing the PIX not the PIX interfaces themselves. Thats where the ICMP command mentioned earlier comes in. 2 Seperate commands in 2 different parts of the config.
Worth a shot, otherwise your command sequence should work.
access-list for the actual definition of traffic
access-group to apply to interface
icmp to block pings to firewall interfaces.
Add the icmp deny any outside did the trick! Thanks for the help. I am going to need to replace some old conduit statements, so I'll leave the access-group statement in, and remove the icmp deny statement.
One last question, there are some icmp rules I need to add to/from for specific IP addresses. Would I add these in the outside ACL, since the "icmp deny any outside" is only blocking icmp to the outside interface?
yes, again.. traffic through the the firewall (to/from) ip addresses needs to be in the acl.. traffic to a firewall interface with ICMP command
access-list out deny icmp any host 184.108.40.206 on the outside interface would block pings to 220.127.116.11
Yes you need to add those entries (ACE) to the outside ACL to deny/permit traffic that has pass through the outside interface. 'icmp' command applies only to the ICMP traffic that's destined to the PIX interface itself.
I would like to know in what scenarios would one want to have oustide interface wide opened for icmps, it seems pix500s or ASAs default config outside interface are to be pingable from any as default, I could think is as such because of directly connected routers to oustide interface runnint routing protocols requiering icmp to discover neighbors, or initial installation of firewall whereby one would want to have outside interface wide opened for icmp for troubleshooting, but would like to hear some comments.