02-13-2008 03:29 PM - edited 03-11-2019 05:02 AM
Hi,
I am trying to figure it out for an hour or two now and can't.
In any documentation I found, it states that Cisco PIX does not replay to ping on outside interface and to enable it, a ACL must be created and attached to outside interface.
Problem is that, I don;t have any ACL and can ping from router - outside interface of PIX. When I am adding ACL deny icmp any any and deny ip any any it still works and ACL counters do not increase.
Config is default, I tried that on PIX 501 and 506E. What can allow ping on outside interface.
ip address outside 10.1.3.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 10 deny icmp any any log
access-group 10 in interface outside
Thank.
Michal
Solved! Go to Solution.
02-13-2008 07:42 PM
Hi Michal,
Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.
The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466
This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.
Btw, icmp is permitted to the outside interface by default
02-13-2008 03:47 PM
Michal..access-list is for transit traffic not for traffic destined on interface...
add this...icmp deny any outside
see if it works
02-13-2008 07:42 PM
Hi Michal,
Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.
The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466
This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.
Btw, icmp is permitted to the outside interface by default
02-14-2008 12:09 AM
Hi,
Thanks for clearing this up. It works now.
Michal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide