PIX outside interface-prevent PING responses

steve.saindon · ‎10-03-2002

HI,

The outside interface of our PIX firewall responds to pings coming from the Internet. Is there a way to prevent it from responding so a ICMP scan from the Internet won`t find it ? We`re using conduits and we run version 6.2.

I`ve searched the doc without any positive answer.

Thanks !

steve.barlow · ‎10-03-2002

As you know conduits apply to the whole PIX, not just an interface (when used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access). So, you can try "conduit deny icmp x.x.x.x any echo" and "conduit permit icmp any any". That will prevent anyone from pinging your pix outside IP and will allow all other icmp (can block other icmps if required).

Access-lists are a lot easier to work with and can apply to only one interface (eg outside), so you may want to migrate them.

Hope it helps.

Steve

bosoro · ‎10-03-2002

ACL's and Conduit's will not prevent a PIX from responding to pings.

I have not found a way to stop the PIX From answering these ICMP messages.

If anyone can find a way, I'd like to see it

steve.barlow · ‎10-03-2002

See link on how to do it: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm#xtocid34

Disregard my previous post, long day.

Steve