Pinging to the PIX Security Appliance interface can be enabled or disabled.
With pinging disabled, the PIX cannot be detected on the network. The
icmp command implements this feature, which is also
referred to as configurable proxy pinging. By default, pinging through the PIX
to a PIX interface is not allowed. Pinging an interface from a host on that
interface is allowed. The syntax for the icmp command is
shown in Figure
.
To use
the icmp command, configure an icmp
command statement that permits or denies ICMP traffic that terminates at the
PIX Security Appliance. If the first matched entry is a permit entry, the ICMP
packet continues to be processed. If the first matched entry is a deny entry or
an entry is not matched, the PIX discards the ICMP packet and generates the
%PIX-3-313001 Syslog message. An exception is when an icmp
command statement is not configured, in which case, permit is assumed.
The clear icmp command removes icmp
command statements from the configuration.
 |
NOTE:
Cisco recommends that permission is granted for the ICMP unreachable
message type, ICMP type 3. Denying ICMP unreachable messages disables ICMP Path
MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435
for details about Path MTU Discovery.
|