Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to deny ICMP through the PIX

What is ICMP?

ICMP is one of the simplest protocols in the TCP/IP protocol suite. Most protocols implement a particular type of functionality to either facilitate basic operation of a part of the network stack, or an application. To this end they include many specific algorithms and tasks that define the protocol, which is where most of the complexity lies. ICMP, in contrast, is exactly what its name suggests: a protocol that defines control messages. As such, pretty much all of what ICMP is about is providing a mechanism for any IP device to send control messages to another device.


Inbound Internet Control Message Protocol (ICMP) through the PIX is denied by default. Outbound ICMP is  permitted, but the incoming reply is denied by default.

To block ICMP traffic through the PIX, access list (ACL) entries to deny ICMP traffic  through the PIX must be created. These are some examples:

  • To deny ICMP through the PIX:
    access-list 101 line 1 deny icmp any anyaccess-list 101 line 2 permit ip any anyaccess-group 101 in interface inside

    Note: These ACL statements deny all ICMP traffic through the PIX and allow all other traffic. If there was only the deny ICMP line, all traffic is be denied.

  • To deny ICMP to the PIX:
       icmp deny 0 0 inside   icmp deny 0 0 outside

For details and other configuration examples, refer to Handling ICMP Pings with the PIX Firewall.



Version history
Revision #:
1 of 1
Last update:
‎06-18-2009 03:59 PM
Updated by:
Labels (1)