Link to home
Start Free TrialLog in
Avatar of dtadmin
dtadminFlag for United States of America

asked on

block icmp from outside pix interface

I have configured "inspect icmp" on my pix to allow pings originated from the internal network to go outside and back in. Now I want to block anyone on the outside from being able to ping the outside interface of my pix....can I do the following to make that work:

pix(config)#icmp deny any echo-reply outside
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Close:

conf t
icmp deny any echo outside
By the way, ICMP is disabled by default so unless you have "icmp permit any outside", right now, you don't need to deny it.

You can always just add "icmp permit any echo-reply outside" to allow the PIX to ping but this will deny pinging to the PIX itself.
Avatar of dtadmin

ASKER

just so I'm understanding correctly; the "icmp permit any echo-reply outside" will allow me to ping to the outside from the pix itself, but at the same time deny anyone on the internet from being able to ping my firewall.
Yes, correct.  As long as you aren't permitting any other ICMP to the outside.
Avatar of dtadmin

ASKER

will this affect any of my vpn sessions by doing this?
This only affects ICMP to the PIX.  It will have no affect on anything else.  Are you permitting ICMP now?  If you do a "show run icmp", what returns?
Avatar of dtadmin

ASKER

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial