I am trying to prevent a PIX 515 from responding to ICMP ping initiated on the outside. Its currently on Version 6.3(4). Currently the inbound access list looks like this:
access-list inbound-traffic deny icmp any any echo
access-list inbound-traffic permit icmp any any echo-reply
access-list inbound-traffic permit icmp any any unreachable
access-list inbound-traffic permit icmp any any time-exceeded
access-list inbound-traffic permit udp any eq domain any
access-list inbound-traffic deny ip any any log
access-group inbound-traffic in interface outside
I found this suggestion form another post regarding handeling ICMP. However I cant add the packet-too-big and established lines. It returns and error Restricted ACLs for route-map use.
access-list 101 deny icmp any any echo <-- nobody can ping you
access-list 101 permit icmp any any echo-reply <-- ping responses come back so that you can ping
access-list 101 permit icmp any any unreachables
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 permit tcp any any established
access-list 101 permit udp any eq 53 any
access-list 101 deny ip any any log
Ideally I would like users on the inside to be able to ping out and get a response but have the PIX drop requests made from the outside.
Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.