Ping outside from internal interface ?

In article , wrote: :I have problem for pinging outside for my PIXes :

:I have a PIX 506E and a PIX515E, and some NATed internet servers inside :in each PIX.

:I found these internet applications can be pinged when I enable the :icmp feature for internet users like following:

:accss-list Out_Access_In permit icmp any any :access-group Out_Access_In in interface outside

:icmp permit any unreachable outside :icmp deny any echo-reply outside

:But I just want the internal users can ping outside, while I do not :want Internet users can ping my Internet servers.

access-list Out_Access_In permit icmp any echo-reply access-group Out_Access_In in interface outside

and drop the 'icmp' commands.

The 'icmp' commands control how the PIX itself will respond to icmp, on behalf of itself, and not what happens for any icmp traffic that is "passing through".

Your servers were pingable because your outside ACL was permiting all varieties of icmp, including icmp echo packets sourced from outside.

Hi. Thank you for your reply. Do you think if we have the risk, like ping of death ( the harmful ping ) for this configuration ?

Thank you Benson

In article , wrote: :Do you think if we have the risk, like ping of death ( the harmful ping :) for this configuration ?

It is easier for us to follow conversations when you quote the sections of previous messages that you are commenting on.

If you are running PIX 6.3 software, then there is a limit on the size of icmp packet that will be accepted, so there is no risk of the Ping Of Death.