asked on block icmp from outside pix interface
I have configured "inspect icmp" on my pix to allow pings originated from the internal network to go outside and back in. Now I want to block anyone on the outside from being able to ping the outside interface of my pix....can I do the following to make that work:
pix(config)#icmp deny any echo-reply outside
pix(config)#icmp deny any echo-reply outside
BroadbandCisco
Last Comment
JFrederick29
By the way, ICMP is disabled by default so unless you have "icmp permit any outside", right now, you don't need to deny it.
You can always just add "icmp permit any echo-reply outside" to allow the PIX to ping but this will deny pinging to the PIX itself.
You can always just add "icmp permit any echo-reply outside" to allow the PIX to ping but this will deny pinging to the PIX itself.
ASKER
just so I'm understanding correctly; the "icmp permit any echo-reply outside" will allow me to ping to the outside from the pix itself, but at the same time deny anyone on the internet from being able to ping my firewall.
Yes, correct. As long as you aren't permitting any other ICMP to the outside.
ASKER
will this affect any of my vpn sessions by doing this?
This only affects ICMP to the PIX. It will have no affect on anything else. Are you permitting ICMP now? If you do a "show run icmp", what returns?
ASKER
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any outside
icmp permit any inside
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
conf t
icmp deny any echo outside