hi patrick,

Thanks for the reply,

i created the above mentioned access-list, but still same, i am able to ping from inside hosts to the outside.

i want to allow specific hosts from inside to ping to the outside.

here is my access-list

PIX506E(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list Do_Not_NAT; 1 elements

access-list Do_Not_NAT line 1 permit ip any 192.168.0.114 255.255.255.254 (hitcnt=0)

access-list inside; 13 elements

access-list inside line 1 deny ip any object-group BANNED_SITES

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 1 deny ip any host a.b.c.d (hitcnt=0)

access-list inside line 2 permit ip any any (hitcnt=91)

access-list inside line 3 permit icmp host 192.168.0.6 any (hitcnt=0)

access-list inside line 4 deny icmp any any (hitcnt=0)

access-list acl_out; 1 elements

access-list acl_out line 1 permit icmp any any (hitcnt=1)

thanks

Hi,

As per your config, ICMP is still allowed through line 2 (permit ip any any). You can see the hitcounts as well..Pls modify the config as below..

access-list Do_Not_NAT

access-list Do_Not_NAT permit ip any 192.168.0.114 255.255.255.254

access-list inside deny ip any object-group BANNED_SITES

access-list inside permit icmp host 192.168.0.6 any

access-list inside deny icmp any any

access-list inside permit ip any any

access-list acl_out permit icmp any any

Regards,

Zhuhair