?
Solved

BLock icmp traffic to PIX

Posted on 2006-06-04
7
Medium Priority
?
1,381 Views
Last Modified: 2013-11-29
I want to disable my PIX from responsing from external through ICMP ping and put the following in my PIX block

access-list outside deny icmp any any
access-group outside in interface outside.

Afterwards, I still find my PIX could response with ICMP ping. Have any idea for this ??
0
Comment
Question by:AXISHK
7 Comments
 
LVL 10

Expert Comment

by:naveedb
ID: 16830501
Try this;

no icmp permit any outside
no icmp permit any inside

If it still doesn't work, post your running config and output from show version
0
 

Author Comment

by:AXISHK
ID: 16830621
already put this command into my PIX but could still respond from outside...

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RzutoCINEX4Aueys encrypted
passwd eo9Ygj12r0TcgQiz encrypted
hostname xyz-bj-pix
domain-name anlai.com
clock timezone HKT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 133 permit ip 192.160.5.0 255.255.255.0 192.160.1.0 255.255.255.0
access-list 177 permit ip 192.160.5.0 255.255.255.0 20.100.0.0 255.255.0.0
access-list 177 permit ip 192.160.5.0 255.255.255.0 20.101.0.0 255.255.0.0
access-list 177 permit ip 192.160.5.0 255.255.255.0 20.90.50.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 20.100.0.0 255.255.0.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 20.101.0.0 255.255.0.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 20.90.50.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.1.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.3.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.4.0 255.255.255.0
access-list 144 permit ip 192.160.5.0 255.255.255.0 192.160.2.0 255.255.255.0
access-list 188 permit ip 192.160.5.0 255.255.255.0 192.160.3.0 255.255.255.0
access-list 199 permit ip 192.160.5.0 255.255.255.0 192.160.4.0 255.255.255.0
access-list 200 permit ip 192.160.5.0 255.255.255.0 192.160.2.0 255.255.255.0
access-list 234 deny udp host 192.160.5.37 any eq domain
access-list 234 permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging facility 1
mtu outside 1500
mtu inside 1500
ip address outside xxxxxx  255.255.255.248
ip address inside 192.160.5.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.160.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 xxxxxxx
nat (inside) 0 access-list 144
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxxxxxx 1
timeout xlate 0:15:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 axzolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server xxxxxx source outside
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.1 255.255.255.255 inside
http 192.160.5.0 255.255.255.0 inside
snmp-server host inside 192.160.1.38
no snmp-server location
no snmp-server contact
snmp-server community shotgun
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set xyz esp-3des esp-md5-hmac
crypto ipsec transform-set xyzusa esp-3des esp-md5-hmac
crypto ipsec transform-set xyztw esp-3des esp-md5-hmac
crypto ipsec transform-set xyzsh esp-3des esp-md5-hmac
crypto ipsec transform-set xyzsz esp-3des esp-md5-hmac
crypto map xz 1 ipsec-isakmp
crypto map xz 1 match address 133
crypto map xz 1 set peer xxxxxx
crypto map xz 1 set transform-set xyz
crypto map xz 30 ipsec-isakmp
crypto map xz 30 match address 177
crypto map xz 30 set peer xxxxxxx
crypto map xz 30 set transform-set xyzusa
crypto map xz 30 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz 40 ipsec-isakmp
crypto map xz 40 match address 188
crypto map xz 40 set peer xxxxxx
crypto map xz 40 set transform-set xyztw
crypto map xz 40 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz 50 ipsec-isakmp
crypto map xz 50 match address 199
crypto map xz 50 set peer xxxxx
crypto map xz 50 set transform-set xyzsh
crypto map xz 50 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz 60 ipsec-isakmp
crypto map xz 60 match address 200
crypto map xz 60 set peer xxxxxx
crypto map xz 60 set transform-set xyzsz
crypto map xz 60 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map xz interface outside
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address 188
crypto map vpnmap 40 set peer xxxxx
crypto map vpnmap 40 set transform-set xyztw
crypto map vpnmap 40 set security-association lifetime seconds 86400 kilobytes 4608000
isakmp enable outside
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp key ******** address xxxxx netmask 255.255.255.255
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp key ******** address xxxxxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 20000
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
telnet 192.168.1.1 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.160.5.0 255.255.255.0 inside
telnet 192.160.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh xxxxxx 255.255.0.0 outside
ssh xxxxx 255.255.0.0 outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:88a4c3d04f6a0ad0d892b3d57e38d0df
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16830689
Hi!
I don't see anywhere in your config:
------------
access-list outside deny icmp any any
access-group outside in interface outside
------------

Did you type "write mem" after changing the config?

Dean
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 

Author Comment

by:AXISHK
ID: 16830761
Before, I have put down in the PIX but it couldn't work. So, I remove it.
I have "write mem" but doesn't help.


pix(config)# sh access-list outside
access-list outside; 1 elements
access-list outside line 1 deny icmp any any (hitcnt=7)

Although the access-list show icmp is blocked, but the PIX could still reply...
0
 
LVL 5

Accepted Solution

by:
renill earned 2000 total points
ID: 16831031
icmp deny any echo outside

this would help u out..

for further details check this
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16831052
this will disable ping reply from outside interface.
none will be able to ping your firewalls outside ip address.

access-list outside deny icmp any host Outside_IF_IP echo-reply



0
 
LVL 5

Expert Comment

by:renill
ID: 16831207
>> I want to disable my PIX from responsing from external through ICMP ping and put the following in my PIX block

i believe i had answered to the question..

renill
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This program is used to assist in finding and resolving common problems with wireless connections.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question