cisco pix allow icmp ping to outside only and prevent all inbound icmp pings


I have struggled with my PIX501 trying to allow inside hosts to ping the outside world, but at the same time NOT allow any outsiders to ping the inside hosts.  Have experimented with "access-list acl_out permit icmp any any" and its variations, with undesirable side effects.  I have the typical static routes and access-lists to match outside IPs with inside hosts configured and operational.  Any help greatly appreciated :)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Your access-list is close:

access-list acl_out permit icmp any any echo-reply

(It assumes that the echo-request is allowed outbound, and that the acl is bound to the outside interface)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gubmanAuthor Commented:
Yes: acl_out is is bound to the outside interface.
By echo-request, are you referring to "icmp deny any outside" ?
No, I mean that the initial ping is allowed to get out.  Either by no access-list on the inside interface, or allowed by a specific rule.

icmp deny any outside
will deny icmp to the outside firewall interface, but doesn't have effect for icmp passing through it. (by deny any you can't receive replies either though, so you can't ping from the firewall).
If you want to be able to ping out from the firewall, but don't want others to ping it:

clear icmp (removes the icmp statements you have)
icmp permit any echo-reply outside (This have no effect for you inside hosts, but only from the firewall itself)
(Once you have set an icmp on an interface, the default is to deny all the rest - so the above ONLY allows response to ping)


To allow you inside hosts to ping the outside, you need either no access-list on the inside interface (i.e. you don't have a line access-group acl_ins in interface inside)
or a specific rule (either one will do):
access-list acl_ins permit icmp any any echo  (specifically allow ping)
access-list acl_ins permit icmp any any  (allow all icmp inside -> outside)
access-list acl_ins permit ip any any  (allow all IP traffic inside -> outside)

And then you need to allow the replies back in, with the access-list entry of my first post.

I hope that explains it, otherwise repost with your questions :)
gubmanAuthor Commented:
Thanks for shedding light on the subject.  Happy New Year!  I have successfully applied your suggestions :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.