updating ACL on PIX515e

I need to block incoming ping from the Internet but allow ping out for testing connectivity to the outside world. i currently have an ACL with these commands; access-list 100 permit icmp any any unreachable
                                                    access-list 100 permit icmp any any echo-reply
                                                    access-list 100 permit icmp any any time-exceeded
i want to add this line to the top of the ACL- access-list 100 deny icmp any outside - to the top of the ACL.
now my real question is what is the best way to add this line? i remember having to remove the ACL into notepad adding the line then reentering the ACL into the firewall. if i do that then the firewall will not have any ACL installed for a short period of time. this is on a production firewall so i want to be very carefull.
thanks in advance,
jerry
jmcrae72Asked:
Who is Participating?
 
calvinetterCommented:
I think what jjoseph_x had intended to post was:
    access-list 100 line 1 deny icmp any any
However, if you add this, then you'll never get *any* icmp traffic from the outside, not even replies to outbound pings.  ACLs are evaluated in a top-down fashion, with a "1st match wins" behavior, so any other icmp lines in your ACL will be ignored after that 1st line which matches *all* icmp traffic (to a deny statement).   And if a match is not found, the PIX will block the traffic.

Jerry, if your intention is to: 1) set the PIX to not answer any pings from the Internet, 2) but still allow ping replies back in & a few other icmp messages in, then you'll want to do the following:

  icmp deny any echo outside   <-- tell PIX not to answer pings directed to the outside interface
...And don't change your ACL 100; keep it configured like so:
  access-list 100 permit icmp any any unreachable
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded ...

You'll still receive replies to outbound pings, the PIX won't answer pings, & neither will the PIX allow pings inbound through it, since there are no ACL 100 statements allowing this.

>if i do that then the firewall will not have any ACL installed for a short period of time.
  Not to worry!  Even if you don't have any ACLs at all configured on the outside interface, the PIX by default will block *all* inbound connection attempts from the outside.

cheers
0
 
jjoseph_xCommented:
you can specify use they keyword "line" to make an entry appear at a specific location in your ACL.

For example:

access-list 100 line 1 deny icmp any outside

that'll put it at the top of the list.

0
 
jmcrae72Author Commented:
i'll give it a try tomorrow night - mant. window.
thanks a ton.
jerry
0
 
jmcrae72Author Commented:
i got it to work by removing this command "icmp permit any outside" and adding "icmp deny any echo outside". I didn't even have to change the ACL at all. I am able to ping say google.com and still pass a firewall test.  
thanks to everyone who contributed!!
jerry
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.