1. Home
  2. Cisco Systems
  3. GRC and Cisco PIX 501

GRC and Cisco PIX 501

Hi Folks,

I have a Cisco PIX 501 and now that it is up and running. I went to test it out at GRC dot com using "Shields Up" on "Common Ports" and received the following message:

Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

So I am wondering how I can block this as GRC states I should be able to. Please be aware that I am very new at this and it was quite a task for me to get up and running in the first place. I AM slowly figuring things out though.

How can I block an ICMP ping request from the command line with a Cisco PIX 501?

Thanks everyone.

Reply to
Networking Student
Loading thread data ...

Unfortunately, at the same time you did NOT receive a message suggesting that you visit and think about the content at

formatting link

ping of the firewall is controlled by the 'icmp' command.

When you block icmp echo to the PIX, be sure to still allow icmp echo-reply and icmp time-exceeded and icmp unreachable .

Also note that if you have no icmp command applied to the outside interface, then all icmp is permitted to the PIX itself, but if you put in even one icmp command applied to the outside interface then that default permit no longer applies and you must specify everything you want to permit to the PIX.

The icmp command only applies to icmp sent to the PIX outside interface IP -- but that includes the case where you are using global (outside) interface to PAT all the inside traffic to the outside IP. In the more general case where you have several IPs in your global pool, or have static commands to multiple outside IPs, then the icmp command does not apply to those: traffic addressed to any IP other than the outside interface IP is controlled by the access-group applied to the outside interface.

Reply to
Walter Roberson

Networking Student schrieb:

Hiding ICMP is a very weak and obscure countermeasure. So if you think you'll need to hide your firewall from the internet better

- buy a better firewall

- or disconnect it from the public internet

ICMP is not only used for exploring the network, it is also needed for discovering the path MTU for e.g.

If you don't wan't your firewall responding to icmp echo-reply (don't answer "ping") be sure to allow all needed icmp subtypes.

Best is to simply ignore this stupid warning and read Walter's answer to your question.

Reply to
Uli Link

I understand and I appreciate everyones help thus far especially yours Walter. I had read a few negative things about GRC but now there is little doubt that its not a good place for quality information.

Reply to
Networking Student

Networking Student schrieb:

GRC is really o.k. for a Windooze newbie for the first time connected to the internet. It is also o.k. for verfying your 10$ new-in-box DSL router bought at your local super market.

It was not designed for professional equipment needing a professional configuration.

Reply to
Uli Link

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.