06-20-2006 04:30 PM - edited 02-21-2020 12:59 AM
I have the below access-list applied on my "outside" interface of my PIX and I'm trying to make it so pings that originate from the "inside" work but ones that originate from the ?outside? fail.
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any time-exceeded
access-list outside permit icmp any any unreachable
With a VPN Concentrator you can build a rule/filter and apply it to the tunnel that checks for the established bit to be set. Is there any way to do this with an access-list in a PIX?
I have a PIX 501 6.3(5)
Solved! Go to Solution.
06-21-2006 07:36 AM
If you add (in config mode)
icmp deny any outside
The above will disable any ping/trace route or network scans from the internet (i.e. your network will be in stealth mode), if you also add
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any time-exceeded
access-list outside permit icmp any any unreachable
access-group outside in interface outside
then this will allow icmp traffic to go outbound to the internet BUT will not allow anyone from the internet to ping/trace route or scan your network!
You can test all this out by going to http://www.grc.com and using the 'shields up' program to scan your network. Try it first without icmp deny any outside statement and then with the statement added to your configuration.
Hope this helps
Jay
06-20-2006 08:35 PM
No, you can't create an ACL on a PIX like that, but the ACL you've created should be doing the trick. What is the issue still?
06-21-2006 04:33 AM
I want ONLY allow pings from the "inside" to work and not pings that originated from the "outside", any way to do that?
06-21-2006 07:36 AM
If you add (in config mode)
icmp deny any outside
The above will disable any ping/trace route or network scans from the internet (i.e. your network will be in stealth mode), if you also add
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any time-exceeded
access-list outside permit icmp any any unreachable
access-group outside in interface outside
then this will allow icmp traffic to go outbound to the internet BUT will not allow anyone from the internet to ping/trace route or scan your network!
You can test all this out by going to http://www.grc.com and using the 'shields up' program to scan your network. Try it first without icmp deny any outside statement and then with the statement added to your configuration.
Hope this helps
Jay
06-21-2006 05:33 PM
Thanks to all that responded!
Jay,
You got it right with "icmp deny any outside".
Thanks so much!
Tony
06-20-2006 11:39 PM
As Glenn states, your ACL should be good to go, have you applied it to the outside interface? i.e.
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any time-exceeded
access-list outside permit icmp any any unreachable
access-group outside in interface outside
Save with: write mem and also issue clear xlate.
Jay
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: