Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

PIX responding to pings from outside

I am trying to prevent a PIX 515 from responding to ICMP ping initiated on the outside.  Its currently on Version 6.3(4).  Currently the inbound access list looks like this:

access-list inbound-traffic deny icmp any any echo
access-list inbound-traffic permit icmp any any echo-reply
access-list inbound-traffic permit icmp any any unreachable
access-list inbound-traffic permit icmp any any time-exceeded
access-list inbound-traffic permit udp any eq domain any
access-list inbound-traffic deny ip any any log
access-group inbound-traffic in interface outside

I found this suggestion form another post regarding handeling ICMP.  However I cant add the packet-too-big and established lines.  It returns and error Restricted ACLs for route-map use.

access-list 101 deny icmp any any echo <-- nobody can ping you
access-list 101 permit icmp any any echo-reply      <-- ping responses come back so that you can ping
access-list 101 permit icmp any any unreachables
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 permit tcp any any established
access-list 101 permit udp any eq 53 any
access-list 101 deny ip any any log

Ideally I would like users on the inside to be able to ping out and get a response but have the PIX drop requests made from the outside.

1 Solution
Can't get there from here (or so I've been told).

I asked Cisco for exactly that configuration, but was told you can't do it.

It makes sense though.  A ping is not a session oriented communication.  The PIX has no way of knowing if the pings coming in are ones you sent and are expecting a return on, or if they were initiated by someone else on the outside.  It just either allows them all in, or drops them all as configured.

Looks good

leerlpAuthor Commented:
So whats the best security practice?  I was under the assumption that you dont want the firewall responding to ICMP comming from the outside.  I have also read that the PIX by default does not repond to ICMP so I am wondering why mine does even without the ACL entries?
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

My firewall is set to not allow ICMP packets.  I've had it running that way for 3 years without a problem.  Pinging out to the Internet is rarely necessary -- if I can ping my Internet router's local interface from the PIX, I call my ISP to have them fix the problem.  If I can't, well, it's a sure bet the inside network can't either.

As for the response without the ACL entries, I don't know.  It shouldn't respond unless you allow it (there is an implied deny any any at the end of all your ACL's).  
leerlpAuthor Commented:
I dropped the ACL statement and went with the statements below.  Outside ICMP is now getting blocked like it should.  Pinging to the outside form inside does not work.  Is this enough ICMP message types to specify without disrupting any necessary ICMp communication?

icmp deny any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
You're dealing with apples and oranges between the acl and the icmp commands.

icmp commands deal with how the pix interface itself handles icmp packets directed to its own IP address
access-list entries are necessary for internal users to get replies from external hosts.


What you end up with is a combination of both the icmp commands and acl:

icmp deny any outside  <== nobody can ping you, you won't send any response to any type of ping packet

access-list outside_in permit icmp any any unreachable  <== required for tcp/ip sliding window and path mtu to work properly
access-list outside_in permit icmp any any echo-reply   <== required to allow return reply to internal host ping
access-list outside_in permit icmp any any time-exceeded  <== required to run traceroute

access-group outside_in in interface outside

Best practice is to make the pix itself as invisible as possible..
leerlpAuthor Commented:

That accomplished everything we were looking for.


Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now