Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
1
Replies

Ping to PIX (outside)

karl.jones
Level 1
Level 1

‎01-19-2003 12:58 PM - edited ‎02-20-2020 10:30 PM

Hi

I read that the PIX by default will block ICMP and scans, I set up a lab at home and plug my laptop into the outside interface and got ICMP replys. How come?

I though be default everything was blocked -

Regards

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎01-19-2003 07:58 PM

The PIX allows pings to the outside interface by default, but you can turn it off with the "icmp" command (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#1026574). Note that we suggest you stil lallow ICMP Unreachable's to the outside interface so you don't break Path MTU Discovery. The following will achieve this while blocking everything else:

> icmp permit any unreachable outside

> icmp deny any outside

As for scans, the PIX will not send any response if it receives a SYN packet to it's outside interface for a port that isn't open, effectively black-holing a scan. On any other interface other than the outside int, it will send an RST in response to a SYN for a port that isn't open.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card