Configure ACLs and Content Filters
The icmp command

Pinging to the PIX Security Appliance interface can be enabled or disabled. With pinging disabled, the PIX cannot be detected on the network. The icmp command implements this feature, which is also referred to as configurable proxy pinging. By default, pinging through the PIX to a PIX interface is not allowed. Pinging an interface from a host on that interface is allowed. The syntax for the icmp command is shown in Figure .

To use the icmp command, configure an icmp command statement that permits or denies ICMP traffic that terminates at the PIX Security Appliance. If the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the PIX discards the ICMP packet and generates the %PIX-3-313001 Syslog message. An exception is when an icmp command statement is not configured, in which case, permit is assumed.

The clear icmp command removes icmp command statements from the configuration.

NOTE:

Cisco recommends that permission is granted for the ICMP unreachable message type, ICMP type 3. Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.


Web Links