Block ping on 506E

[mojo1979]

Hi,

Does anybody know how i can block ping requests on my public interface?
I don't want to recieve DOS attacks.

Thanks

 

[lgarner]

Deny icmp inbound on the outside interface, at least for echo-request. If you want your internal hosts able to ping hosts on the Internet, make sure you add the applicable permit statements before anything which would deny them.

 

[fraustbyte]

Quoting directly from the Cisco PIX 506E manual:

The icmp command controls ICMP traffic that is received by the firewall. If no ICMP control list is configured, then the PIX firewall accepts all ICMP traffic that terminates at any interface (including the outside interface), except that the PIX firewall does not respond to ICMP echo requests directed to a broadcast address.

For ICMP traffic that is routed through the PIX firewall only, you can use the access-list and access-group commands to control the ICMP traffic routed through the firewall.

It is recommended by Cisco that permission be granted for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic.

If an ICMP control list is configured, then the PIX uses a first match to the ICMP traffic followed by an implicit deny all.

To deny all ping requests and permit all unreachable messages at the outside interface:

icmp permit any unreachable outside