Is there any way in the PIX to prevent PINGing of the outside interface? I'd still like my internal users to be able to PING things on the Net, but I don't want outside users to be able to PING the outside interface or any internal users.
In order to allow ping at all on current code you have to have a conduit to permit it. Ping conduits have options available. >conduit permit icmp any any< should only be used during deployment and then removed. I often configure >conduit permit icmp any any echo-reply< which only allows icmp replies back in. This prevents the world from pinging your hosts. If you want to hide the outside nic from the world, put an acl on your outside router blocking icmp to that address or renumber that segment to an rfc1918 address scheme with static route statements routing traffic. Does anyone have any other ideas?
I think you are on the right track with an ACL in a router. One that would be very easy to configure would be a reflexive access list (IP Session filtering).
BTW; if you use a global PAT only you shouldn't have to worry about hosts being ping'ed
I normally use an abstraction network between my pix and internet gateway with private addressing. This makes the outside interface of the pix invisible to the outside world but gives you full functionality.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
