Link to home
Start Free TrialLog in
Avatar of AXISHK
AXISHK

asked on

BLock icmp traffic to PIX

I want to disable my PIX from responsing from external through ICMP ping and put the following in my PIX block

access-list outside deny icmp any any
access-group outside in interface outside.

Afterwards, I still find my PIX could response with ICMP ping. Have any idea for this ??
Avatar of naveedb
naveedb

Try this;

no icmp permit any outside
no icmp permit any inside

If it still doesn't work, post your running config and output from show version
Avatar of AXISHK

ASKER

already put this command into my PIX but could still respond from outside...

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RzutoCINEX4Aueys encrypted
passwd eo9Ygj12r0TcgQiz encrypted
hostname xyz-bj-pix
domain-name anlai.com
clock timezone HKT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 133 permit ip 192.160.5.0 255.255.255.0 192.160.1.0 255.255.255.0
access-list 177 permit ip 192.160.5.0 255.255.255.0 20.100.0.0 255.255.0.0
access-list 177 permit ip 192.160.5.0 255.255.255.0 20.101.0.0 255.255.0.0
access-list 177 permit ip 192.160.5.0 255.255.255.0 20.90.50.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 20.100.0.0 255.255.0.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 20.101.0.0 255.255.0.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 20.90.50.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.1.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.3.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.4.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.2.0 255.255.255.0
access-list 188 permit ip 192.160.5.0 255.255.255.0 192.160.3.0 255.255.255.0
access-list 199 permit ip 192.160.5.0 255.255.255.0 192.160.4.0 255.255.255.0
access-list 200 permit ip 192.160.5.0 255.255.255.0 192.160.2.0 255.255.255.0
access-list 234 deny udp host 192.160.5.37 any eq domain
access-list 234 permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging facility 1
mtu outside 1500
mtu inside 1500
ip address outside xxxxxx  255.255.255.248
ip address inside 192.160.5.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.160.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 xxxxxxx
nat (inside) 0 access-list 144
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxxxxxx 1
timeout xlate 0:15:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 axzolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server xxxxxx source outside
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.1 255.255.255.255 inside
http 192.160.5.0 255.255.255.0 inside
snmp-server host inside 192.160.1.38
no snmp-server location
no snmp-server contact
snmp-server community shotgun
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set xyz esp-3des esp-md5-hmac
crypto ipsec transform-set xyzusa esp-3des esp-md5-hmac
crypto ipsec transform-set xyztw esp-3des esp-md5-hmac
crypto ipsec transform-set xyzsh esp-3des esp-md5-hmac
crypto ipsec transform-set xyzsz esp-3des esp-md5-hmac
crypto map xz 1 ipsec-isakmp
crypto map xz 1 match address 133
crypto map xz 1 set peer xxxxxx
crypto map xz 1 set transform-set xyz
crypto map xz 30 ipsec-isakmp
crypto map xz 30 match address 177
crypto map xz 30 set peer xxxxxxx
crypto map xz 30 set transform-set xyzusa
crypto map xz 30 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz 40 ipsec-isakmp
crypto map xz 40 match address 188
crypto map xz 40 set peer xxxxxx
crypto map xz 40 set transform-set xyztw
crypto map xz 40 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz 50 ipsec-isakmp
crypto map xz 50 match address 199
crypto map xz 50 set peer xxxxx
crypto map xz 50 set transform-set xyzsh
crypto map xz 50 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz 60 ipsec-isakmp
crypto map xz 60 match address 200
crypto map xz 60 set peer xxxxxx
crypto map xz 60 set transform-set xyzsz
crypto map xz 60 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz interface outside
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address 188
crypto map vpnmap 40 set peer xxxxx
crypto map vpnmap 40 set transform-set xyztw
crypto map vpnmap 40 set security-association lifetime seconds 86400 kilobytes 4608000
isakmp enable outside
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp key ******** address xxxxx netmask 255.255.255.255
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 20000
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
telnet 192.168.1.1 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.160.5.0 255.255.255.0 inside
telnet 192.160.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh xxxxxx 255.255.0.0 outside
ssh xxxxx 255.255.0.0 outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:88a4c3d04f6a0ad0d892b3d57e38d0df
Avatar of NetoMeter Screencasts
Hi!
I don't see anywhere in your config:
------------
access-list outside deny icmp any any
access-group outside in interface outside
------------

Did you type "write mem" after changing the config?

Dean
Avatar of AXISHK

ASKER

Before, I have put down in the PIX but it couldn't work. So, I remove it.
I have "write mem" but doesn't help.


pix(config)# sh access-list outside
access-list outside; 1 elements
access-list outside line 1 deny icmp any any (hitcnt=7)

Although the access-list show icmp is blocked, but the PIX could still reply...
ASKER CERTIFIED SOLUTION
Avatar of renill
renill
Flag of United Arab Emirates image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
this will disable ping reply from outside interface.
none will be able to ping your firewalls outside ip address.

access-list outside deny icmp any host Outside_IF_IP echo-reply



>> I want to disable my PIX from responsing from external through ICMP ping and put the following in my PIX block

i believe i had answered to the question..

renill