ICMP reply

[olana]

I have the following access list that I have applied to the outside interface of pix 501.

access-list acl_in deny ip host 255.255.255.255 any
access-list acl_in deny ip host 10.0.0.0 any
access-list acl_in deny icmp any any
access-list acl_in permit tcp any host xxx.xxx.xxxx.xxx eq www
access-list acl_in permit tcp any host xxx.xxx.xxxx.xxx eq ftp
access-list acl_in permit tcp any xxx.xxx.xxxx.xxx eq www
access-list acl_out permit tcp xxx.xxx.xxxx.xxx 255.255.255.240 any eq www


access-group acl_in in interface outside
access-group acl_out in interface inside

Inspite of that I receive a reply when I ping from outside to the external address of the pix.

Can anyone tell me the reason for the ping reply?

Thanks

 

[yizhar]

HI.

You can block ICMP to the pix own interface in the following ways:

1)
Use "ip audit" (recommended):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9

ip audit name attack1 attack alarm drop reset
ip audit name info1 info alarm drop
ip audit interface outside attack1
ip audit interface outside info1


2)
Use the ICMP command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid5

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[olana]

Thank you Yizhar. Does it mean that the command "access-list acl_in deny icmp any any" `cann't prevent pinging in to an interface?

Regards

 

[yizhar]

HI.

Yes, I guess so.

Read here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid5

"The icmp command controls ICMP traffic that terminates on the PIX Firewall. If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at the interface."

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar