Below is the commands I have that allow hosts behind firewall to ping and tracert but dissallow icmp to any hosts that have static mappings from the outside. That part works, however you are still able to ping the outside interface from the outside world just fine. What do I need to add/change to stop this from happening?
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any timestamp-request
access-list acl_inbound permit icmp any any timestamp-reply
access-list acl_inbound permit icmp any any information-request
access-list acl_inbound permit icmp any any information-reply
ACLs do not affect traffic destined to or from the Pix as a host. To prevent this from happening, use the [icmp] command to disable or tune your Pix's ICMP behavior. This is done per-interface.
icmp deny any outside
If you do VPNs, I would not disallow all ICMP. Fragmentation is inherent in IPSec tunnels and hosts will attempt to perform MTU path discovery. Allowing "unreachables" will allow this to work. Or configure all servers behind the VPN with lower MTUs so that fragmentation does not cause performance issues.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...