Cisco Firewalls and PING
(Note: Tracert uses Ping technology and protocols and the firewall treats ping and tracert the same*)
PIX Version 7 and above
Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It�s NOT turned on by default. And the command is �inspect icmp� but you need to enter the default map first, use the following commands from config terminal mode.
Policy-map global_policy
class inspection_default
inspect icmp
How to STOP interfaces responding to Ping packets
As already stated you can ping an interface on a Cisco firewall if you are directly connected to it, you can turn this OFF using the ICMP command, a lot of people like to disable pinging on the outside interface, in an effort to lessen the risk of a denial of service attack to this the syntax is as follows,
icmp deny any echo outside
*Note this does not apply to INBOUND tracerts these will NOT work without a (fixup protocol icmp) command. In version 7 tracert will not work unless the inspect icmp command has been issued
To Ping the Firewalls Inside interface from a remote VPN session (IKE or SSL) you need to add the following command
management-access inside
