Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Turning off ping on external ip

Status
Not open for further replies.
TheStressFactor

TheStressFactor

IS-IT--Management
Sep 24, 2002
229
US
Hello all,

Wondering what I can do to not allow my external ip of my pix to be pingable. Below is my config...can somebody let me know what syntax I need to add or remove to disallow ping capability to this ip? Thank you.

:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname myfirewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.
0
access-list outside permit tcp any host x.x.x.67 eq smtp
access-list outside permit icmp any any
access-list outside permit tcp any host x.x.x.67 eq https
access-list outside permit tcp any host x.x.x.x.67 eq www
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.67 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.3.2 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm location x.x.x.65 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.67 smtp 192.168.3.2 smtp netmask 255.255.
255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set transform esp-3des esp-sha-hmac
crypto ipsec transform-set home esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set home
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set transform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
 
Sort by date Sort by votes
You'd get rid of this line:
"access-list outside permit icmp any any"
by typing
"no access-list outside permit icmp any any"
from a config prompt.
-gbiello
 
Upvote 0 Downvote
Here is what I put in my pix 515

icmp deny any outside

With that and what gbiello mentioned you should be good to go.
 
Upvote 0 Downvote
If you are wanting to be able to ping from your internal to the external world, you would then add...

access-list outside permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded

after getting rid of the...

access-list permit icmp any any

This will allow icmp packets that originated on the inside to go outbound and to return the echo-reply or the time-exceeded.

The deny icmp any outside as stated in the previous post will not allow anyone to ping the external interface of the PIX, the access-lists will stop anyone on the outside from pinging anything on the internal network. Your access-list icmp permit any any will let anyone to ping anything on the inside.
 
Upvote 0 Downvote
HI.

In addition to the above answers, you can also enable the pix IDS features. Ping attempts are considered "info" IDS signatures, and you can choose if you want them logged, blocked or both.
You can play with IDS to see the results.

Here is how to enable IDS to log (syslog level 4) any PING from the outside (but let the ACL decide if it can pass or not), and log+block more severe attacks:

ip audit name info1 info action alarm
ip audit name attack1 attack action alarm drop reset
ip audit interface outside info1
ip audit interface outside attack1

Just note that the IDS of the pix is limitted. It does not detect any HTTP attacks.
Still it's not a bad idea to enable it, unless you have performance stress on the pix.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
729
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
617
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
555
XLNTech1
XLNTech1
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
238
hairlessupportmonkey
hairlessupportmonkey
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
120
Garbear
Garbear

Part and Inventory Search

Sponsor

Back
Top