Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Stuburn ICMP!!!!


Im running IOS 6.1.2 and the outside interface is pingable from the outside, this is the problem. All the NATs are not pingable (which is good). I have even put an explicit deny on the access-list to disable pinging but still pinging. Can you help me???? Here is the copy of the config. I have changed ip's and names in this sample otherwise my boss will freak (dont ask)

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inet-in permit tcp any host eq smtp

access-list inet-in deny udp any any eq 1434

access-list inet-in deny icmp any any

access-list nonat permit ip

access-list inet-out deny ip host any

access-list inet-out deny ip host any

access-list inet-out deny ip host any

access-list inet-out deny ip host any

access-list inet-out deny ip host any

access-list inet-out deny ip host any

access-list inet-out deny ip host any

access-list inet-out deny ip host any

access-list inet-out permit ip any any

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

<--- More --->

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool1

pdm history enable

arp timeout 14400

global (outside) 1

global (outside) 1

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

static (inside,outside) EXCH01 netmask 0 0

access-group inet-in in interface outside

access-group inet-out in interface inside

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol tacacs+

url-server (inside) host WEBSENSE timeout 5 protocol TCP version 1

url-cache dst 8KB

<--- More --->

filter url http allow

http server enable

no snmp-server location

no snmp-server contact

snmp-server community who-cares

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set encrypt1 esp-des esp-md5-hmac

crypto dynamic-map microsoft 1 set transform-set encrypt1

crypto map vpnuser 20 ipsec-isakmp dynamic microsoft

crypto map vpnuser interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup remoteuser$ address-pool vpnpool1

vpngroup remoteuser$ dns-server server

vpngroup remoteuser$ wins-server wserver

<--- More --->

vpngroup remoteuser$ default-domain

vpngroup remoteuser$ split-tunnel nonat

vpngroup remoteuser$ idle-time 1800

vpngroup remoteuser$ password ********

telnet outside

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80




Re: Stuburn ICMP!!!!

Hi Rudy,

Try this, take out the ACL (access-list inet-in deny icmp any any) and place this onto your config: (in config mode),

> icmp deny any outside

make sure you write to memory, also as a good security check, go to and try the 'shields Up' software this will check for any holes on your outside interface (this is secure and free) and will give you a report of any open ports. Let me know how you get on.

Hope this helps -

Re: Stuburn ICMP!!!!


when you want to create an access-list for icmp traffic that is terminated at one of the interface of the pix, then you have to use the 'icmp' command. The normal 'acces-list' command does not work in this situation.

This is some info from the command reference(6.3):


Configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an interface.

[no] icmp {permit | deny} ip_address net_mask [icmp_type] if_name

clear icmp

show icmp

Syntax Description


Deny access if the conditions are matched.


ICMP message type as described in Table 6-1.


The interface name.


The IP address of the host sending ICMP messages to the interface.


The mask to be applied to ip_address.


Permit access if the conditions are matched.



New Member

Re: Stuburn ICMP!!!!

You need to apply the list to the interface on the outside

NOT "access-list inet-in deny icmp any any"

This prevents icmp from any on the inside to any

You want "access-list inet-out deny icmp any any"

This prevents icmp from any on the outside to any

Remember to apply the list to the interface where the packets are coming into it.