Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX outside interface-prevent PING responses

HI,

The outside interface of our PIX firewall responds to pings coming from the Internet. Is there a way to prevent it from responding so a ICMP scan from the Internet won`t find it ? We`re using conduits and we run version 6.2.

I`ve searched the doc without any positive answer.

Thanks !

3 REPLIES

Re: PIX outside interface-prevent PING responses

As you know conduits apply to the whole PIX, not just an interface (when used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access). So, you can try "conduit deny icmp x.x.x.x any echo" and "conduit permit icmp any any". That will prevent anyone from pinging your pix outside IP and will allow all other icmp (can block other icmps if required).

Access-lists are a lot easier to work with and can apply to only one interface (eg outside), so you may want to migrate them.

Hope it helps.

Steve

Cisco Employee

Re: PIX outside interface-prevent PING responses

ACL's and Conduit's will not prevent a PIX from responding to pings.

I have not found a way to stop the PIX From answering these ICMP messages.

If anyone can find a way, I'd like to see it

Re: PIX outside interface-prevent PING responses

See link on how to do it: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm#xtocid34

Disregard my previous post, long day.

Steve

183
Views
0
Helpful
3
Replies
CreatePlease login to create content