Anh Lam wrote: > As I've said before, "conduit permit icmp" has been disabled; however, I can > still ping the outside interface which, based on Cisco doc, is NOT possible.
Anh, We need some clarification here. Please state where you are trying to ping from. A subnet on the outside interface? A remote subnet? The a subnet on the inside interface? To paraphrase the Cisco documentation, the command "conduit permit icmp" allows a ping through the firewall, i.e., going from one PIX interface to another. Is this what you are trying to block? If so, then you should verify you don't have another path in parallel. If you are trying to ping the outside interface from an outside host this is a different situation. You need to read that URL more carefully. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm#xtocid366534 I quote: "Disabling Interface Pinging With pinging disabled, the PIX Firewall cannot be detected on the network. The new icmp command implements this feature. This feature is also referred to as configurable proxy pinging. To disable pinging, first configure an access-list command statement that permits or denies ICMP traffic that terminates at the PIX Firewall unit, and then add the appropriate icmp command statement to your configuration." HTH Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26738&t=26738 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]