Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing Outbound Ping Only

Is there any way in the PIX to prevent PINGing of the outside interface? I'd still like my internal users to be able to PING things on the Net, but I don't want outside users to be able to PING the outside interface or any internal users.

Thanks

Dave

3 REPLIES
Silver

Re: Allowing Outbound Ping Only

In order to allow ping at all on current code you have to have a conduit to permit it. Ping conduits have options available. >conduit permit icmp any any< should only be used during deployment and then removed. I often configure >conduit permit icmp any any echo-reply< which only allows icmp replies back in. This prevents the world from pinging your hosts. If you want to hide the outside nic from the world, put an acl on your outside router blocking icmp to that address or renumber that segment to an rfc1918 address scheme with static route statements routing traffic. Does anyone have any other ideas?

New Member

Re: Allowing Outbound Ping Only

I think you are on the right track with an ACL in a router. One that would be very easy to configure would be a reflexive access list (IP Session filtering).

BTW; if you use a global PAT only you shouldn't have to worry about hosts being ping'ed

New Member

Re: Allowing Outbound Ping Only

I normally use an abstraction network between my pix and internet gateway with private addressing. This makes the outside interface of the pix invisible to the outside world but gives you full functionality.

160
Views
0
Helpful
3
Replies
CreatePlease to create content