How can I disable inbound ICMP to a PIX 506 6.3(4)?
Are there any rules of thumb for the SNMP community string? Should it be a strong password string? If SNMP is disable - is logging for the PIX disabled too?
Addressed to the PIX itself:
icmp deny any outside
Addressed to internal devices: just don't permit it ;-) Or,
access-list out2in deny icmp any any access-list out2in permit .... whatever access-group out2in in interface outside
Note: if you deny all inbound ICMP, then you break Path MTU Discovery (PMTUD), which is Not A Good Thing. It is better to permit inward icmp unreachable and icmp time-exceeded .
logging is independant of SNMP. logging is done by outward UDP 514 packages (or as otherwise configured); SNMP is inward UDP 161 (and replies), and outward UDP 162 for the rare SNMP Trap.
The rule of thumb for SNMP is "If you need an outside system to be able to SNMP your PIX, then that outside system should probably be contacting the PIX via a VPN."
This is what I've got...
access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable
That should be good for restricting icmp access "through" the PIX, provided that you do not later have a "permit ip" to the same host (as ip includes icmp.)
The above will not, though, restrict icmp access to the PIX IP itself: you need the 'icmp' command for that.
Ok, so I can tack on icmp deny any outside to the end to accomplish ICMP access restrictions tot he PIX itself?
In article , J1C wrote: :Ok, so I can tack on icmp deny any outside to the end to accomplish :ICMP access restrictions tot he PIX itself?
Yes, but probably you instead want to use "icmp permit" to permit unreachable and time-exceeded (and echo-reply if you want to be able issue pings from the PIX CLI itself).
If you have any icmp command for an interface, then any icmp not permitted is denied to the PIX itself, but if you have no icmp command for the interface than everything is permitted to the PIX itself.
Hello, Walter! You wrote on Thu, 26 Jan 2006 20:54:35 GMT:
??>> access-list 100 permit icmp any any echo-reply ??>> access-list 100 permit icmp any any time-exceeded ??>> access-list 100 permit icmp any any unreachable
WR> That should be good for restricting icmp access "through" the WR> PIX, provided that you do not later have a "permit ip" to the WR> same host (as ip includes icmp.)
I hate to disagree, Walter, but "permit ip" on PIX doesn't allow icmp.
With best regards, Andrey.
That does not agree with my experience or with the documentation.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.