Keith and Mark are correct. One thing to add, dont permit "icmp any any". You definately dont want to allow echo and other stuff from the internet for security reasons... It will allow script kiddie's to "map" your network. A better way is to only allow echo-replies, time-exceeded (trace routes), source-quench (so you can see icmp messages). Also allow icmp echo's (type 8) outbound. You will then be able to ping stuff on the net, but they can't ping you.
see this sample... !create list access-list corp_internet_allowed_in permit icmp any any echo-reply access-list corp_internet_allowed_in permit icmp any any source-quench access-list corp_internet_allowed_in permit icmp any any unreachable access-list corp_internet_allowed_in permit icmp any any time-exceeded !apply list access-group corp_internet_allowed_in in interface outside ! create list access-list corp_internal_allowed_out permit icmp any !apply list access-group corp_internal_allowed_out in interface inside Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72535&t=72514 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]