PIX501 Disable Ping from outside network

Dear Experts

My company has a sbs2000 server running mainly for ERP application.
, Citrix Metaframe XP presentation sever has also been installed
for our remote users access.
(Server Internal IP:

We have a PIX501 firewall installed. (PIX Internal IP:
I have opened tcp port 3389 for remote desktop for administrator works.
Web server is running just for internal, not outside. SQL 2000 server is runnning too.(no exchange server, no ftp server)
Last month I needed to access from home to my company's SQL 2000 server for some programming works,
so I have enabled tcp port 1433. Everything work fine until this weekend there is a huge inbound traffic into the server,
part of the reason as our firewall still accept PING from outside.

>>>built inbound tcp connection 35504 for outside: (ns.thundernet.co.kr) /12033 ( (ns.thundernet.co.kr) /12033) to inside: (uuuu.xx.local) /1433 (aaa.bbb.ccc.ddd (uuuu.xx.local) /1433)
>>>teardown tcp connection 35504 for outside: (ns.thundernet.co.kr) /12033 to inside: (uuuu.xx.local) /1433 duration 0:00:01 bytes 254 tcp fins

Just in case anything happen, I have temporary removed port 1433 now.

I would like to know how to disable PING from outside (but I can till ping from inside)
but not impair my ability to communicate to outside world?
As I'm very new to PIX firewall, I really need some expert advice before I actually mess up my company network.

Many many thanks in advance.



Our PIX 501 config:

Building configuration...
: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
hostname YYYYYY
domain-name XXXXX
clock timezone HKST 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 101 permit tcp any host aaa.bbb.ccc.ddd eq 3389
access-list 101 permit tcp any host aaa.bbb.ccc.ddd eq citrix-ica
access-list 101 permit udp any host aaa.bbb.ccc.ddd eq 1604
pager lines 24
logging on
logging timestamp
logging trap informational
logging history warnings
logging facility 23
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location kkk.bbb.ccc.ddd inside
pdm location kkk.bbb.ccc.ddd outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp aaa.bbb.ccc.ddd 3389 3389 netmask 0 0
static (inside,outside) tcp aaa.bbb.ccc.ddd citrix-ica citrix-ica netmask 0 0
static (inside,outside) udp aaa.bbb.ccc.ddd 1604 1604 netmask 0 0
access-group 101 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxxxx@NWTBB.COM
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxxx@NWTBB.COM password *********
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To disable icmp on the interface, simply add the following command:
  icmp deny any outside

Blocking ICMP will not prevent port scans. Leaving well-known ports (i.e. tcp 1433 SQL) open is the issue. Anytime you open up any port to any server, be 200% positive that your server is protected with latest patches and best practices, and change the default port if you can (security by obscurity)...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

and open port 1433 only to selective IP addresses and not to any.
csvchouAuthor Commented:
It works!! now no one can PING our outside IP

   icmp deny any outside

I've added the following lines (quote from lrmoore's old solution) so that we can PING from inside

   access-list uart permit icmp any any echo-reply
   access-list uart permit icmp any any unreachable
   access-list uart permit icmp any any time-exceeded

martap is right, I should open port 1433 to selective IP
I've asked them to split points, 400 for lrmoore, 100 for martap
Thanks for fixing my problem in such short time. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.