topic Re: default icmp behavior in Network Security

default icmp behavior

huangedmc — Mon, 11 Mar 2019 09:03:36 GMT

What's the default icmp behavior on Pix?

I can't seem to ping from any inside hosts to any outside hosts...

What do I have to do to allow it, while blocking icmp initiated from outside?

a.kiprawih — Sun, 03 Dec 2006 14:02:17 GMT

To be very sure, create/add ACL to allow ICMP from any inside host to ping external/internet host(s). Bind this ACL on the Inside interface, example:

global (outside) 1 192.168.1.10 --> Public IP

nat (inside) 1 10.1.1.0 255.255.255.0 --> your internal segment

access-list inside permit icmp any any --> permit any icmp type from internal host to external

access-group in interface inside --> bind ACL to inside interface

If you already have existing ACL, just add it to the top, or before any deny statement.

Allowing all ICMP type here is only for testing purposes only. Also, make sure on your Outside interface, do not block any ICMP (via any ACL).

HTH

huangedmc — Sun, 03 Dec 2006 17:37:40 GMT

thanks for the quick reply.

I did exactly what you suggested, and it's still not going through.

I ping 63.240.76.72 from inside host, and get the following on Pix:

106014: Deny inbound icmp src outside:63.240.76.72 dst inside:192.168.1.10 (type 0, code 0)

show access-list:

access-list 101 line 1 permit icmp any any (hitcnt=2)

It looks like Pix is allowing icmp from inside out, but not from outside in.

So I created another ACL allowing inbound icmp, and applied it to outside interface, I can now ping from inside.

But, how do I limit ping initiated from inside only?

network.king — Sun, 03 Dec 2006 17:49:18 GMT

Hi,

Allow only " echo-reply " in your outside interface , so only ur inside host can ping .

ref :

Hope this helps

regards

vanesh k

huangedmc — Sun, 03 Dec 2006 18:25:57 GMT

thanks; this doc totally answered my question.