ICMP, the minimum to ping the internet but not the pix to pinged

Hi guys,

I am dealing with a PIX 515 at the moment with VPN.

The network behind interface inside is Going to the internet, the hosts are nated to the external if.

The access-list for internet traffic is

access-list internet_out; 5 elements access-list internet_out line 1 permit udp any any eq domain (hitcnt=458) access-list internet_out line 2 permit tcp any any eq www (hitcnt=2237) access-list internet_out line 3 permit tcp any any eq https (hitcnt=81) access-list internet_out line 4 permit tcp any any eq ftp (hitcnt=0) access-list internet_out line 5 permit icmp any any (hitcnt=365)

I've got also this access-list

access-list ANY_ICMP; 1 elements access-list ANY_ICMP line 1 permit icmp any any (hitcnt=69)

and the access-group is

access-group ANY_ICMP in interface external

It works but the firewall can be pinged from the outside Internet. I do not like it.

What is the commands to type to have only the inside hosts to ping the hosts on the internet and the PIX to do not being pinged on its external interface?

Thank you very much,


Reply to
Alexandre Durbuy
Loading thread data ...

Access-lists apply only to traffic going through the PIX. If you want to allow or deny ICMP traffic terminating to an interface, then you need the icmp command

formatting link

Reply to
Jyri Korhonen

icmp deny any outside

Greetings Gerd

Reply to
Gerd EMail

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.