Im running IOS 6.1.2 and the outside interface is pingable from the outside, this is the problem. All the NATs are not pingable (which is good). I have even put an explicit deny on the access-list to disable pinging but still pinging. Can you help me???? Here is the copy of the config. I have changed ip's and names in this sample otherwise my boss will freak (dont ask)
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inet-in permit tcp any host 18.104.22.168 eq smtp
access-list inet-in deny udp any any eq 1434
access-list inet-in deny icmp any any
access-list nonat permit ip 10.9.0.0 255.255.0.0 192.168.1.0 255.255.255.0
Try this, take out the ACL (access-list inet-in deny icmp any any) and place this onto your config: (in config mode),
> icmp deny any outside
make sure you write to memory, also as a good security check, go to www.grc.com and try the 'shields Up' software this will check for any holes on your outside interface (this is secure and free) and will give you a report of any open ports. Let me know how you get on.
when you want to create an access-list for icmp traffic that is terminated at one of the interface of the pix, then you have to use the 'icmp' command. The normal 'acces-list' command does not work in this situation.
This is some info from the command reference(6.3):
Configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...