02-27-2006 08:18 AM - edited 03-09-2019 02:04 PM
hi,
PIX Version 6.3(4)
Present config, icmp allowed on all inside hosts. through
"access-list acl_out permit icmp any any"
"access-group acl_out in interface outside"
i want to allow icmp only on specific hosts on inside, remaining i want to restrict..
Any ideas anyone?
Thanks.
02-27-2006 10:23 AM
Do you have allready an access-list on the inside interface ?
If no then use something like this:
Create an access-list that allows some host to use icmp
then deny all icmp traffic and then allow all the rest.
example:
access-list inside permit icmp host InsideIP-1 any
access-list inside permit icmp host InsideIP-2 any
access-list inside permit icmp host InsideIP-3 any
access-list inside deny icmp any any
access-list inside permit ip any any
access-group inside in interface inside
sincerely
Patrick
02-27-2006 09:24 PM
hi patrick,
Thanks for the reply,
i created the above mentioned access-list, but still same, i am able to ping from inside hosts to the outside.
i want to allow specific hosts from inside to ping to the outside.
here is my access-list
PIX506E(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list Do_Not_NAT; 1 elements
access-list Do_Not_NAT line 1 permit ip any 192.168.0.114 255.255.255.254 (hitcnt=0)
access-list inside; 13 elements
access-list inside line 1 deny ip any object-group BANNED_SITES
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)
access-list inside line 2 permit ip any any (hitcnt=91)
access-list inside line 3 permit icmp host 192.168.0.6 any (hitcnt=0)
access-list inside line 4 deny icmp any any (hitcnt=0)
access-list acl_out; 1 elements
access-list acl_out line 1 permit icmp any any (hitcnt=1)
thanks
02-27-2006 09:48 PM
Hi,
As per your config, ICMP is still allowed through line 2 (permit ip any any). You can see the hitcounts as well..Pls modify the config as below..
access-list Do_Not_NAT
access-list Do_Not_NAT permit ip any 192.168.0.114 255.255.255.254
access-list inside deny ip any object-group BANNED_SITES
access-list inside permit icmp host 192.168.0.6 any
access-list inside deny icmp any any
access-list inside permit ip any any
access-list acl_out permit icmp any any
Regards,
Zhuhair
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide