cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
954
Views
0
Helpful
3
Replies

PIX outside interface-prevent PING responses

steve.saindon
Level 1
Level 1

HI,

The outside interface of our PIX firewall responds to pings coming from the Internet. Is there a way to prevent it from responding so a ICMP scan from the Internet won`t find it ? We`re using conduits and we run version 6.2.

I`ve searched the doc without any positive answer.

Thanks !

3 Replies 3

steve.barlow
Level 7
Level 7

As you know conduits apply to the whole PIX, not just an interface (when used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access). So, you can try "conduit deny icmp x.x.x.x any echo" and "conduit permit icmp any any". That will prevent anyone from pinging your pix outside IP and will allow all other icmp (can block other icmps if required).

Access-lists are a lot easier to work with and can apply to only one interface (eg outside), so you may want to migrate them.

Hope it helps.

Steve

bosoro
Cisco Employee
Cisco Employee

ACL's and Conduit's will not prevent a PIX from responding to pings.

I have not found a way to stop the PIX From answering these ICMP messages.

If anyone can find a way, I'd like to see it

See link on how to do it: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm#xtocid34

Disregard my previous post, long day.

Steve

Review Cisco Networking for a $25 gift card