icmp traffic

[khaledeshah]

Hi
I have servers behind PIX & I want to restrict ICMP traffic to those servers, so is all types of ICMP I must restrict ?

 

[havanajoe]

If you are not wanting any icmp traffic to come to those servers than there is nothing that you need to do. By default nothing is allowed inbound that didn't originate from an outbound connection. If you want to make sure that no icmp traffic can get to your inside network then just add...

access-list inbound deny icmp any any

I hope this helps

Dave

 

[gbiello]

Remember you need three pieces, a static mapping to the server, an access-list to permit the traffic, and an access-group statement to apply the access-list to the outside interface.

You would only use one of the two access-list commands in the following example. The first one opens you wide for pings to anything. The second only allows you to ping to the external IP of the server in question.

Add more access-list and static lines for more servers.

static (inside,outside) 1.2.3.4 192.168.10.10 netmask 255.255.255.255 0 0
access-list fromout permit icmp any any
access-list fromout permit icmp any host 1.2.3.4
access-group fromout in interface outside

hope this helps,
-gbiello