Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

icmp question on the pix

Hi..

I don't want anyone, on the outside, to be able to ping my outside interface of my pix 515. So, I issued the following commands...

icmp deny any echo-reply outside

icmp permit any unreachable outside

The problem I have now is that my inside hosts can't ping to the outside world.

Any thoughts on what I may need to do to allow this, at the same time don't allow anyone on the internet to ping my outside interface??

Thanks.

  • Other Security Subjects
1 REPLY
Silver

Re: icmp question on the pix

The "icmp" command only applies to ICMP traffic destined to the PIX, not to ICMP traffic through the PIX.

Also, you may want to change your deny statement to read:

icmp deny any echo outside

for traffic through the PIX, try turning on "debug icmp trace" and then ping from a host on the inside to something on the Internet. On the PIX you should see the echo-request go out and the echo-reply come back in.

Sincerely,

David.

91
Views
0
Helpful
1
Replies