Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   icmp weirdness - PIX 501 (does any really mean any??) (http://www.velocityreviews.com/forums/t40973-icmp-weirdness-pix-501-does-any-really-mean-any.html)

news8080@yahoo.com 09-23-2005 02:12 PM

icmp weirdness - PIX 501 (does any really mean any??)
 
anyone care to take a poke at this?

pix501(config)# sh access-list out_in
access-list out_in; 5 elements
access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0
interface outside object-group TCP-21-THRU-137
access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0
interface outside range ftp 137 (hitcnt=0)
access-list out_in line 2 permit udp 192.168.4.0 255.255.255.0
interface outside eq netbios-ns (hitcnt=0)
access-list out_in line 3 permit tcp any interface outside eq 24
(hitcnt=0)
access-list out_in line 4 permit icmp interface outside any
object-group ICMP_REP
access-list out_in line 4 permit icmp interface outside any echo-reply
(hitcnt=0)
access-list out_in line 5 deny ip any any (hitcnt=13)
pix501(config)#

pix501(config)# sh object-gr icmp-type
object-group icmp-type ICMP_REP
icmp-object echo-reply

pix501(config)# sh nat
nat (inside) 0 access-list NAT0
nat (inside) 1 192.168.50.0 255.255.255.0 0 0

pix501(config)# sh icmp
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp deny any outside
pix501(config)# ping 64.233.167.104
64.233.167.104 response received -- 20ms
64.233.167.104 response received -- 40ms
64.233.167.104 response received -- 10ms

ip audit signature 2000 disable


here is the syslog entry from when I ping 64.233.167.104 from
192.168.50.7

Sep 23 03:08:43 pix Sep 23 2005 09:57:31: %PIX-4-106023: Deny icmp src
outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by
access-group "out_in"
Sep 23 03:08:44 pix Sep 23 2005 09:57:32: %PIX-4-106023: Deny icmp src
outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by
access-group "out_in"


I can't ping google from 192.168.50.7. I can browse to it (and all
other websites) but just can't ping. and no there is no fireall of any
kind running on 192.168.50.7 that blocks anything.


Walter Roberson 09-23-2005 03:23 PM

Re: icmp weirdness - PIX 501 (does any really mean any??)
 
In article <1127484739.714933.228350@f14g2000cwb.googlegroups .com>,
news8080@yahoo.com <news8080@yahoo.com> wrote:
:anyone care to take a poke at this?

:pix501(config)# sh access-list out_in
>access-list out_in line 4 permit icmp interface outside any object-group ICMP_REP
>access-list out_in line 4 permit icmp interface outside any echo-reply (hitcnt=0)


You have the 'any' and 'interface outside' reversed.
The outside interface is never going to generate packets that it
tries to send "through" the PIX to "any" on the inside.
--
When Love is gone, there's always Justice.
When Justice is gone, there's always Force.
When Force is gone, there's always Mom. -- Laurie Anderson

news8080@yahoo.com 09-23-2005 04:04 PM

Re: icmp weirdness - PIX 501 (does any really mean any??)
 
that did it, thanks



All times are GMT. The time now is 05:37 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.