Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to allow ICMP on Specific hosts

hi,

PIX Version 6.3(4)

Present config, icmp allowed on all inside hosts. through

"access-list acl_out permit icmp any any"

"access-group acl_out in interface outside"

i want to allow icmp only on specific hosts on inside, remaining i want to restrict..

Any ideas anyone?

Thanks.

  • Other Security Subjects
3 REPLIES

Re: how to allow ICMP on Specific hosts

Do you have allready an access-list on the inside interface ?

If no then use something like this:

Create an access-list that allows some host to use icmp

then deny all icmp traffic and then allow all the rest.

example:

access-list inside permit icmp host InsideIP-1 any

access-list inside permit icmp host InsideIP-2 any

access-list inside permit icmp host InsideIP-3 any

access-list inside deny icmp any any

access-list inside permit ip any any

access-group inside in interface inside

sincerely

Patrick

New Member

Re: how to allow ICMP on Specific hosts

hi patrick,

Thanks for the reply,

i created the above mentioned access-list, but still same, i am able to ping from inside hosts to the outside.

i want to allow specific hosts from inside to ping to the outside.

here is my access-list

PIX506E(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list Do_Not_NAT; 1 elements

access-list Do_Not_NAT line 1 permit ip any 192.168.0.114 255.255.255.254 (hitcnt=0)

access-list inside; 13 elements

access-list inside line 1 deny ip any object-group BANNED_SITES

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 2 permit ip any any (hitcnt=91)

access-list inside line 3 permit icmp host 192.168.0.6 any (hitcnt=0)

access-list inside line 4 deny icmp any any (hitcnt=0)

access-list acl_out; 1 elements

access-list acl_out line 1 permit icmp any any (hitcnt=1)

thanks

New Member

Re: how to allow ICMP on Specific hosts

Hi,

As per your config, ICMP is still allowed through line 2 (permit ip any any). You can see the hitcounts as well..Pls modify the config as below..

access-list Do_Not_NAT

access-list Do_Not_NAT permit ip any 192.168.0.114 255.255.255.254

access-list inside deny ip any object-group BANNED_SITES

access-list inside permit icmp host 192.168.0.6 any

access-list inside deny icmp any any

access-list inside permit ip any any

access-list acl_out permit icmp any any

Regards,

Zhuhair

242
Views
0
Helpful
3
Replies