Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ICMP reply

Status
Not open for further replies.

olana

Technical User
Sep 2, 2002
12
DE
I have the following access list that I have applied to the outside interface of pix 501.

access-list acl_in deny ip host 255.255.255.255 any
access-list acl_in deny ip host 10.0.0.0 any
access-list acl_in deny icmp any any
access-list acl_in permit tcp any host xxx.xxx.xxxx.xxx eq www
access-list acl_in permit tcp any host xxx.xxx.xxxx.xxx eq ftp
access-list acl_in permit tcp any xxx.xxx.xxxx.xxx eq www
access-list acl_out permit tcp xxx.xxx.xxxx.xxx 255.255.255.240 any eq www


access-group acl_in in interface outside
access-group acl_out in interface inside

Inspite of that I receive a reply when I ping from outside to the external address of the pix.

Can anyone tell me the reason for the ping reply?

Thanks
 
HI.

You can block ICMP to the pix own interface in the following ways:

1)
Use "ip audit" (recommended):

ip audit name attack1 attack alarm drop reset
ip audit name info1 info alarm drop
ip audit interface outside attack1
ip audit interface outside info1


2)
Use the ICMP command:


Bye
Yizhar Hurwitz
 
Thank you Yizhar. Does it mean that the command "access-list acl_in deny icmp any any" `cann't prevent pinging in to an interface?

Regards



 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top