03-10-2003 09:04 AM - edited 03-09-2019 02:26 AM
i currrently have a pix 515e rules set up to deny icmp:
icmp deny any outside
icmp deny any dmz1
though i still see hits on the PIX logs. is it standard for one to see these entries in the log even after they are set to be denied?
%PIX-4-106023: Deny icmp src outside:IPADDRESS dst dmz1:STATION (type 8, code 0) by access-group "outside_access_in"
03-10-2003 05:17 PM
The "icmp" commands in the PIX only permit/deny ICMP packets TO the PIX itself, not THROUGH it. Pings destined for hosts behind the PIX will still be allowed/denied by your ACL's.
03-11-2003 03:18 AM
thanks for the reply. my problem is that i have my logging set to errors and above. each day the same ip addresses ping my dmz network. so the logs are filled with these entries. i would like to be able to drop these packets from the sender of the icmp with hope they will get the message and stop. though all the entries in the log say denied, i still worry that something is happening. so you are saying that i need to setup rules to deny the icmp to the particular addresses on the dmz net?
03-11-2003 07:24 PM
You don't need to do anything, this message is telling you that the ICMP packets to your DMZ were denied by the access-list. Whoever is pinging these hosts did not get a response to them, don't worry about that.
As for these message filling up your logs, there's not a lot we can do about that. You can't selectively turn logging off for these pings specifically. You can turn this log message off with:
> no logging message 106023
but then you won't get any of those messages, I'd prefer to see them personally, at least I know the PIX is denying them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: