PIX - Disable Ping / ICMP replies from outside interface

use "icmp " command: icmp deny any echo outside

I setup a quick lab to deminstrate this, please see below

end-user(e1/0)---(e1/0)local-as(e0/0)---(e0/0)remote-as (ISP)

I setup an access-list to allow incoming echo-replies destined for the local-as subnet.

access-list 101 permit icmp any echo-reply access-list 101 deny icmp any any access-list 101 permit ip any any

See below for examples:

#############################

end-user#ping 121.23.134.5

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 121.23.134.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/53/92 ms end-user#

#############################

remote-as#ping 178.101.23.105

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 178.101.23.105, timeout is 2 seconds: ...... Success rate is 0 percent (0/5) remote-as#ping 121.23.134.150

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 121.23.134.150, timeout is 2 seconds: ...... Success rate is 0 percent (0/5) remote-as#telnet 121.23.134.150 Trying 121.23.134.150 ... Open

#############################

User Access Verification

Password:

end-user#sh run Building configuration...

Current configuration : 728 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname end-user ! boot-start-marker boot-end-marker ! ! clock timezone PST 0 no aaa new-model ip subnet-zero no ip routing ! ! ! ! ! interface Ethernet0/0 no ip address no ip route-cache shutdown ! interface Ethernet1/0 ip address 178.101.23.105 255.255.255.0 no ip route-cache ! interface Serial2/0 no ip address no ip route-cache shutdown serial restart-delay 0 ! interface Serial3/0 no ip address no ip route-cache shutdown serial restart-delay 0 ! ! ip default-gateway 178.101.23.1 ip classless no ip http server ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! end

end-user#

#############################

local-as#sh run Building configuration...

Current configuration : 883 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname local-as ! boot-start-marker boot-end-marker ! enable password cisco ! clock timezone PST 0 no aaa new-model ip subnet-zero ! ! ! ! ! interface Ethernet0/0 ip address 121.23.134.150 255.255.255.0 ip access-group 101 in no ip unreachables ! interface Ethernet1/0 ip address 178.101.23.1 255.255.255.0 ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial3/0 no ip address shutdown serial restart-delay 0 ! ! ip classless ip route 0.0.0.0 0.0.0.0 121.23.134.5 no ip http server ! ! ! access-list 101 permit icmp any 178.101.23.0 0.0.0.255 echo-reply access-list 101 deny icmp any any access-list 101 permit ip any any ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! end

local-as#

#############################

remote-as#sh run Building configuration...

Current configuration : 690 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname remote-as ! boot-start-marker boot-end-marker ! enable password cisco ! clock timezone PST 0 no aaa new-model ip subnet-zero ! ! ! ! ! interface Ethernet0/0 ip address 121.23.134.5 255.255.255.0 ! interface Ethernet1/0 no ip address shutdown ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial3/0 no ip address shutdown serial restart-delay 0 ! ! ip classless ip route 0.0.0.0 0.0.0.0 121.23.134.150 no ip http server ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! end

remote-as#

Hope this helps Anthony

My apologies I didn't see this post was for a PIX :)