Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ping to PIX (outside)

Hi

I read that the PIX by default will block ICMP and scans, I set up a lab at home and plug my laptop into the outside interface and got ICMP replys. How come?

I though be default everything was blocked -

Regards

1 REPLY
Cisco Employee

Re: Ping to PIX (outside)

The PIX allows pings to the outside interface by default, but you can turn it off with the "icmp" command (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#1026574). Note that we suggest you stil lallow ICMP Unreachable's to the outside interface so you don't break Path MTU Discovery. The following will achieve this while blocking everything else:

> icmp permit any unreachable outside

> icmp deny any outside

As for scans, the PIX will not send any response if it receives a SYN packet to it's outside interface for a port that isn't open, effectively black-holing a scan. On any other interface other than the outside int, it will send an RST in response to a SYN for a port that isn't open.

239
Views
0
Helpful
1
Replies
CreatePlease to create content