https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558837#M500162 <HTML><HEAD></HEAD><BODY><P>If you add (in config mode)</P><P></P><P>icmp deny any outside</P><P></P><P>The above will disable any ping/trace route or network scans from the internet (i.e. your network will be in stealth mode), if you also add</P><P></P><P>access-list outside permit icmp any any echo-reply </P><P>access-list outside permit icmp any any time-exceeded </P><P>access-list outside permit icmp any any unreachable </P><P>access-group outside in interface outside</P><P></P><P>then this will allow icmp traffic to go outbound to the internet BUT will not allow anyone from the internet to ping/trace route or scan your network!</P><P></P><P>You can test all this out by going to <A class="jive-link-custom" href="http://www.grc.com" target="_blank">http://www.grc.com</A> and using the 'shields up' program to scan your network. Try it first without icmp deny any outside statement and then with the statement added to your configuration.</P><P></P><P>Hope this helps</P><P></P><P>Jay</P><P></P><P></P><P></P></BODY></HTML> Wed, 21 Jun 2006 14:36:13 GMT jmia 2006-06-21T14:36:13Z https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558833#M500156 <P>I have the below access-list applied on my "outside" interface of my PIX and I'm trying to make it so pings that originate from the "inside" work but ones that originate from the ?outside? fail.</P><P></P><P>access-list outside permit icmp any any echo-reply </P><P>access-list outside permit icmp any any time-exceeded </P><P>access-list outside permit icmp any any unreachable</P><P></P><P>With a VPN Concentrator you can build a rule/filter and apply it to the tunnel that checks for the established bit to be set. Is there any way to do this with an access-list in a PIX?</P><P></P><P>I have a PIX 501 6.3(5)</P><P></P> Fri, 21 Feb 2020 08:59:12 GMT https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558833#M500156 anowell 2020-02-21T08:59:12Z https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558834#M500158 <HTML><HEAD></HEAD><BODY><P>No, you can't create an ACL on a PIX like that, but the ACL you've created should be doing the trick. What is the issue still?</P></BODY></HTML> Wed, 21 Jun 2006 03:35:40 GMT https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558834#M500158 gfullage 2006-06-21T03:35:40Z https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558835#M500160 <HTML><HEAD></HEAD><BODY><P>As Glenn states, your ACL should be good to go, have you applied it to the outside interface? i.e.</P><P></P><P>access-list outside permit icmp any any echo-reply </P><P>access-list outside permit icmp any any time-exceeded </P><P>access-list outside permit icmp any any unreachable</P><P>access-group outside in interface outside</P><P></P><P>Save with: write mem and also issue clear xlate.</P><P></P><P>Jay </P><P></P></BODY></HTML> Wed, 21 Jun 2006 06:39:18 GMT https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558835#M500160 jmia 2006-06-21T06:39:18Z https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558836#M500161 <HTML><HEAD></HEAD><BODY><P>I want ONLY allow pings from the "inside" to work and not pings that originated from the "outside", any way to do that?</P></BODY></HTML> Wed, 21 Jun 2006 11:33:43 GMT https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558836#M500161 anowell 2006-06-21T11:33:43Z https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558837#M500162 <HTML><HEAD></HEAD><BODY><P>If you add (in config mode)</P><P></P><P>icmp deny any outside</P><P></P><P>The above will disable any ping/trace route or network scans from the internet (i.e. your network will be in stealth mode), if you also add</P><P></P><P>access-list outside permit icmp any any echo-reply </P><P>access-list outside permit icmp any any time-exceeded </P><P>access-list outside permit icmp any any unreachable </P><P>access-group outside in interface outside</P><P></P><P>then this will allow icmp traffic to go outbound to the internet BUT will not allow anyone from the internet to ping/trace route or scan your network!</P><P></P><P>You can test all this out by going to <A class="jive-link-custom" href="http://www.grc.com" target="_blank">http://www.grc.com</A> and using the 'shields up' program to scan your network. Try it first without icmp deny any outside statement and then with the statement added to your configuration.</P><P></P><P>Hope this helps</P><P></P><P>Jay</P><P></P><P></P><P></P></BODY></HTML> Wed, 21 Jun 2006 14:36:13 GMT https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558837#M500162 jmia 2006-06-21T14:36:13Z https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558838#M500163 <HTML><HEAD></HEAD><BODY><P>Thanks to all that responded!</P><P></P><P></P><P></P><P>Jay,</P><P></P><P>You got it right with "icmp deny any outside".</P><P></P><P>Thanks so much!</P><P>Tony</P></BODY></HTML> Thu, 22 Jun 2006 00:33:38 GMT https://community.cisco.com/t5/network-security/established-access-list-in-a-pix/m-p/558838#M500163 anowell 2006-06-22T00:33:38Z