Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to block ping from outside

We have a PIX 515. what's the command to block outside poeple ping public ip?

Thanks.

7 REPLIES

Re: how to block ping from outside

Hi,

you will have to modify your inbound access-list by adding a line like this:

access-list acl_name deny icmp any any

Kind Regards,

Tom

New Member

Re: how to block ping from outside

Tom,

thanks. I will try that coming monday.

Happy new year!

bob

New Member

Re: how to block ping from outside

by default it should deny pings

if you can ping it, check the access-list applied to outside interface

there should be a statement something like this:

access-list acl_outside per icmp any any

or

access-list acl_outside per icmp any OUTSIDE_IP_ADDR

if not, there could be a conduit statement, removing this statement may affect other ping capabilities, but is probably wise.

New Member

Re: how to block ping from outside

sorry, forgot to say:

if you add a deny icmp statement to the access-list, it will be placed at the end and will never be reached, if there is a permit statement eariler in the list then a match will be found before the end statement.

enter 'no acl_outside permit icmp any any'

or match whatever the statement is that is allowing the ping - place 'no' infront.

New Member

Re: how to block ping from outside

thanks. will try that and let you know.

happy new year!

bob

New Member

Re: how to block ping from outside

We don't have any access-list acl_outside per icmp any any. We do have conduit permit icmp any any. should we delete this line (no conduit permit icmp any any). Thnak you.

New Member

Re: how to block ping from outside

To deny icmp to the outside interface you will need to do the following:

icmp deny any outside

the access-lists and conduits will take care of the hosts that traverse thru the firewall, but not the interfaces themselves. Hope this helps.

532
Views
0
Helpful
7
Replies