PIX responding to pings from outside

Posted on 2005-04-22
Last Modified: 2013-11-16
I am trying to prevent a PIX 515 from responding to ICMP ping initiated on the outside.  Its currently on Version 6.3(4).  Currently the inbound access list looks like this:

access-list inbound-traffic deny icmp any any echo
access-list inbound-traffic permit icmp any any echo-reply
access-list inbound-traffic permit icmp any any unreachable
access-list inbound-traffic permit icmp any any time-exceeded
access-list inbound-traffic permit udp any eq domain any
access-list inbound-traffic deny ip any any log
access-group inbound-traffic in interface outside

I found this suggestion form another post regarding handeling ICMP.  However I cant add the packet-too-big and established lines.  It returns and error Restricted ACLs for route-map use.

access-list 101 deny icmp any any echo <-- nobody can ping you
access-list 101 permit icmp any any echo-reply      <-- ping responses come back so that you can ping
access-list 101 permit icmp any any unreachables
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 permit tcp any any established
access-list 101 permit udp any eq 53 any
access-list 101 deny ip any any log

Ideally I would like users on the inside to be able to ping out and get a response but have the PIX drop requests made from the outside.

Question by:leerlp
    LVL 7

    Expert Comment

    Can't get there from here (or so I've been told).

    I asked Cisco for exactly that configuration, but was told you can't do it.

    It makes sense though.  A ping is not a session oriented communication.  The PIX has no way of knowing if the pings coming in are ones you sent and are expecting a return on, or if they were initiated by someone else on the outside.  It just either allows them all in, or drops them all as configured.

    LVL 32

    Expert Comment

    Looks good


    Author Comment

    So whats the best security practice?  I was under the assumption that you dont want the firewall responding to ICMP comming from the outside.  I have also read that the PIX by default does not repond to ICMP so I am wondering why mine does even without the ACL entries?
    LVL 7

    Expert Comment

    My firewall is set to not allow ICMP packets.  I've had it running that way for 3 years without a problem.  Pinging out to the Internet is rarely necessary -- if I can ping my Internet router's local interface from the PIX, I call my ISP to have them fix the problem.  If I can't, well, it's a sure bet the inside network can't either.

    As for the response without the ACL entries, I don't know.  It shouldn't respond unless you allow it (there is an implied deny any any at the end of all your ACL's).  

    Author Comment

    I dropped the ACL statement and went with the statements below.  Outside ICMP is now getting blocked like it should.  Pinging to the outside form inside does not work.  Is this enough ICMP message types to specify without disrupting any necessary ICMp communication?

    icmp deny any echo outside
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    icmp permit any time-exceeded outside
    LVL 79

    Accepted Solution

    You're dealing with apples and oranges between the acl and the icmp commands.

    icmp commands deal with how the pix interface itself handles icmp packets directed to its own IP address
    access-list entries are necessary for internal users to get replies from external hosts.


    What you end up with is a combination of both the icmp commands and acl:

    icmp deny any outside  <== nobody can ping you, you won't send any response to any type of ping packet

    access-list outside_in permit icmp any any unreachable  <== required for tcp/ip sliding window and path mtu to work properly
    access-list outside_in permit icmp any any echo-reply   <== required to allow return reply to internal host ping
    access-list outside_in permit icmp any any time-exceeded  <== required to run traceroute

    access-group outside_in in interface outside

    Best practice is to make the pix itself as invisible as possible..

    Author Comment


    That accomplished everything we were looking for.


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now