Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ICMP, Pings and Traceroutes Pix 515

Status
Not open for further replies.
WNelson28

WNelson28

IS-IT--Management
May 21, 2003
70
GB
Could anybody offer any help on this? We have a pix 515e and have done the following: access-list external deny icmp any any how ever, the system still responds to pings and traceroutes, have saved the config and rebooted yet it still responds, any ideas?

Thanks

Will
 
Sort by date Sort by votes
Sorry for asking the obvious, but did you apply the access
list to the external interface?
 
Upvote 0 Downvote
Do you have an "icmp permit" statement in the config?
 
Upvote 0 Downvote
the list is indeed on the external interface and there are no other icmp rules in the config, I would have thought it would drop these anyway ?
 
Upvote 0 Downvote
Hello!

Do you want to deny the ping direct to the Pix?

The pixs default-behaviour ist, that you can ping the interfaces. If you want to deny this you have to do a icmp deny outside (check icmp ?).

If you want to deny icmp through the pix, you have to make an access-list. this access-list should be applied to an interface.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator
 
Upvote 0 Downvote
We want the pix to drop all icmp tarffic on the outside interface, I take it the deny above wouldn't do that then?
Thanks

 
Upvote 0 Downvote
Hello!

If you do it with a icmp deny-command, you only block pings direct to the ip(s) of the pix.

If you want to deny icmps through the pix (so you want to deny pings to a server behind the pix), you have to make a access-list. this access-list must be applied to the outside interface (or the interfaces).

Martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator
 
Upvote 0 Downvote
So at the risk of sounding thick, the command access-list external deny icmp any any won't stop the pix responding to pings etc? What command should I use? As the above hasn't worked and the pix still responds.

Thanks

Will
 
Upvote 0 Downvote
hello,

there are to issues you have to handle,

1) deny that the pix answeres to pings
2) deny that ping-requests (icmp, or what ever) goes through the pix to an internal server.

1)
To solve this you must make a icmp deny outside.
Please make a show icmp on the pix and give us the output.
if you make several icmp command, the icmp-deny/permit rules will be checked in a top-down way on the pix (i hope you understand what i mean).

so if you have a

icmp permit any any
icmp deny any outside
--> You can ping the pix

2)
As i sad, you have to block this with an access-list. But if you do not allow it, it will be blocked.

Martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
745
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
573
Nitta84
Nitta84
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
195
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
250
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top