ICMP question

pcguru1964 · ‎03-10-2003

i currrently have a pix 515e rules set up to deny icmp:

icmp deny any outside

icmp deny any dmz1

though i still see hits on the PIX logs. is it standard for one to see these entries in the log even after they are set to be denied?

%PIX-4-106023: Deny icmp src outside:IPADDRESS dst dmz1:STATION (type 8, code 0) by access-group "outside_access_in"

gfullage · ‎03-10-2003

The "icmp" commands in the PIX only permit/deny ICMP packets TO the PIX itself, not THROUGH it. Pings destined for hosts behind the PIX will still be allowed/denied by your ACL's.

pcguru1964 · ‎03-11-2003

thanks for the reply. my problem is that i have my logging set to errors and above. each day the same ip addresses ping my dmz network. so the logs are filled with these entries. i would like to be able to drop these packets from the sender of the icmp with hope they will get the message and stop. though all the entries in the log say denied, i still worry that something is happening. so you are saying that i need to setup rules to deny the icmp to the particular addresses on the dmz net?

gfullage · ‎03-11-2003

You don't need to do anything, this message is telling you that the ICMP packets to your DMZ were denied by the access-list. Whoever is pinging these hosts did not get a response to them, don't worry about that.

As for these message filling up your logs, there's not a lot we can do about that. You can't selectively turn logging off for these pings specifically. You can turn this log message off with:

> no logging message 106023

but then you won't get any of those messages, I'd prefer to see them personally, at least I know the PIX is denying them.