Cisco Pix Firewall Logs

Hey all,

I have a quick question. I am notcing A LOT of ICMP deny request on my external interface on my router.
Should I be concerned?

here is a portion of the log

Deny inbound icmp src outside 63.214.225.229 dst inside 63.x.x.x (type 8, Code 0)
ShinCatAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Everyone on the planet is knocking on your door with pings. This is just part of being on the Internet, and reconnaissance attempts.
As long as they are denied packets, you've nothing to worry about.
If you start seeing a pattern of specific source IP addresses, what I do is put a deny entry into the router acl so the firewall never even sees the icmp packet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scotty_ciscoCommented:
ShinCat;

This is pretty normal if you are denying ICMP traffic and given that many people will do a ping sweep of an entire subnet before they run port scans you could see a deny for every attempt accross your address range.  I would not worry that much about it unless there are a large number comming from the same source (say 100 or so an hour).  

Thanks
Scott
sheahmedCommented:

surely ur concern, beside a security threat ... such icmp attacks are utilizing your cpu as well as memory resources ... i 'll recommend you to monitor your internal network for the same ...

there are two types of icmp packets ...

- echo:  Request ... (ping)
- echo-reply:  Response in result of Request ... (ping response)

permit icmp only from recognized sources and for specific destinations destinations ... if necessary ... otherwise block icmp along with other vulnerable ports (i.e. netbios, etc)

worm could be ...
- http://vil.nai.com/vil/content/v_100559.htm


probably the worm could be nachi ... check out more about it ...
- www.sans.org/rr/papers/60/477.pdf

hope this stuff is useful for you ...

Regards,
Sheeraz Ahmed
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

sheahmedCommented:

Type 8 Code 0 Echo Request (ping) - means it sends you a packet, which should be directly replyed by/with a: echo reply

NicBreyCommented:
Agree, nothing to worry about unless you start seeing a pattern.

Sheeraz,
Probably the most well known ICMP packets are "echo request" and "echo reply", but there is a lot more than 2 types of ICMP packets.

http://www.iana.org/assignments/icmp-parameters
sheahmedCommented:

thanks for the correction ... yes there are icmp packet types each with its own format ...
like ...

 0 -  Echo Reply
 3 - Destination Unreachable
 4 - Source Quench
 5 - Redirect (Change Route)
 8 - Echo Request
11 - Time Exceeded
12 - Parameter Problem in Datagram
14 - Timestamp Request

shincat you can see the description of 0 and 8 here ... NicBrey, most of the time i have met the same echo attacks ...

ShinCatAuthor Commented:
lrMoore

You are the Cisco Ninja!

Are you a CCIE? I want to thank you for all your past help you have given me. In fact I think all the past help you have given me has been all Cisco help.
If you are anywhere near Atlanta Georgia there is a steak dinner waiting for you.
You are truely a professional above and beyond.
ShinCatAuthor Commented:
To all the others who replied I want to thank you also.

All your answers were helpful and it adds value to this thread, but it was lrmoore who responded first in a timely fashion.

Scotty_Cisco you responded at the same time bu lrmoore was faster.
I thank you also. I hope in the future I can award you some points also.
lrmooreCommented:
Not CCIE yet. Passed the written, waiting to take the PE.

I'm not too far from Atlanta, in AL. I go through the ATL airport all the time, though.
There's a saying here: "when you die and go to heaven - you're going through Atlanta"
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.