Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Established Access-List in a PIX?

I have the below access-list applied on my "outside" interface of my PIX and I'm trying to make it so pings that originate from the "inside" work but ones that originate from the ?outside? fail.

access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any unreachable

With a VPN Concentrator you can build a rule/filter and apply it to the tunnel that checks for the established bit to be set. Is there any way to do this with an access-list in a PIX?

I have a PIX 501 6.3(5)

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Established Access-List in a PIX?

If you add (in config mode)

icmp deny any outside

The above will disable any ping/trace route or network scans from the internet (i.e. your network will be in stealth mode), if you also add

access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any unreachable

access-group outside in interface outside

then this will allow icmp traffic to go outbound to the internet BUT will not allow anyone from the internet to ping/trace route or scan your network!

You can test all this out by going to http://www.grc.com and using the 'shields up' program to scan your network. Try it first without icmp deny any outside statement and then with the statement added to your configuration.

Hope this helps

Jay

5 REPLIES
Cisco Employee

Re: Established Access-List in a PIX?

No, you can't create an ACL on a PIX like that, but the ACL you've created should be doing the trick. What is the issue still?

New Member

Re: Established Access-List in a PIX?

I want ONLY allow pings from the "inside" to work and not pings that originated from the "outside", any way to do that?

Gold

Re: Established Access-List in a PIX?

If you add (in config mode)

icmp deny any outside

The above will disable any ping/trace route or network scans from the internet (i.e. your network will be in stealth mode), if you also add

access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any unreachable

access-group outside in interface outside

then this will allow icmp traffic to go outbound to the internet BUT will not allow anyone from the internet to ping/trace route or scan your network!

You can test all this out by going to http://www.grc.com and using the 'shields up' program to scan your network. Try it first without icmp deny any outside statement and then with the statement added to your configuration.

Hope this helps

Jay

New Member

Re: Established Access-List in a PIX?

Thanks to all that responded!

Jay,

You got it right with "icmp deny any outside".

Thanks so much!

Tony

Gold

Re: Established Access-List in a PIX?

As Glenn states, your ACL should be good to go, have you applied it to the outside interface? i.e.

access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any unreachable

access-group outside in interface outside

Save with: write mem and also issue clear xlate.

Jay

245
Views
0
Helpful
5
Replies