10-03-2002 06:52 AM - edited 02-20-2020 10:17 PM
HI,
The outside interface of our PIX firewall responds to pings coming from the Internet. Is there a way to prevent it from responding so a ICMP scan from the Internet won`t find it ? We`re using conduits and we run version 6.2.
I`ve searched the doc without any positive answer.
Thanks !
10-03-2002 09:19 AM
As you know conduits apply to the whole PIX, not just an interface (when used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access). So, you can try "conduit deny icmp x.x.x.x any echo" and "conduit permit icmp any any". That will prevent anyone from pinging your pix outside IP and will allow all other icmp (can block other icmps if required).
Access-lists are a lot easier to work with and can apply to only one interface (eg outside), so you may want to migrate them.
Hope it helps.
Steve
10-03-2002 10:44 AM
ACL's and Conduit's will not prevent a PIX from responding to pings.
I have not found a way to stop the PIX From answering these ICMP messages.
If anyone can find a way, I'd like to see it
10-03-2002 11:13 AM
See link on how to do it: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm#xtocid34
Disregard my previous post, long day.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide