Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them....

Reply
Thread Tools

Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them....

 
 
Scott Townsend
Guest
Posts: n/a
 
      05-01-2006
On my Edge Router I have an Access list for ICMP as follows:

access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any port-unreachable
access-list 103 deny icmp any any
access-list 103 deny icmp any 0.0.0.0 255.255.255.0
access-list 103 deny icmp any 0.0.0.255 255.255.255.0
access-list 103 deny icmp any any redirect


On the PIX Firewall, I have the Following:

access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit icmp any any unreachable

On my PIX log I get hundreds of the Following

%PIX-6-302020: Built ICMP connection for faddr 82.160.189.125/0 gaddr
A.B.C.D/0 laddr 10.10.3.10/0
%PIX-6-302021: Teardown ICMP connection for faddr 83.79.179.113/0 gaddr
A.B.C.D/0 laddr 10.10.3.10/0

The Address A.B.C.D/0 laddr 10.10.3.10/0 has been caught using a Sharing
program. I've turned off Port 6346/6347 on the Edge Router, but I'm still
getting the Built and Teardowns.

I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but not
a from anywhere else and would like to not allow anyone to Ping us.

What should I change?

Thanks,
Scott<-


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-02-2006
In article <9Cs5g.10504$(E-Mail Removed)> ,
Scott Townsend <scott-i@.-N0-SPAMplease.enm.com> wrote:
>On my Edge Router I have an Access list for ICMP as follows:


>access-list 103 permit icmp any any time-exceeded
>access-list 103 permit icmp any any port-unreachable
>access-list 103 deny icmp any any
>access-list 103 deny icmp any 0.0.0.0 255.255.255.0
>access-list 103 deny icmp any 0.0.0.255 255.255.255.0
>access-list 103 deny icmp any any redirect


Which direction is that applied on?

>I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but not
>a from anywhere else and would like to not allow anyone to Ping us.


In the ACL applied out,

permit icmp 10.1.1.0 0.0.0.255 any echo

In the ACL applied in,

permit icmp any PUBLIC_IP PUBLIC_MASK echo-reply

[PUBLIC_IP PUBLIC_MASK for the case where you are NAT'ing, which you
need to be doing because RFC1918 does not allow you to source packets
in any of the reserved IP ranges past the edge of your network.]
 
Reply With Quote
 
 
 
 
Scott Townsend
Guest
Posts: n/a
 
      05-04-2006
> Which direction is that applied on?
interface MFR0.672 point-to-point
description WAN to SBC Internet Service
ip access-group 103 in


So should I be applying this to the MFR0 or Ethernet Interface??


I think I have a Few Issues.

I guess I Have to assign a Static NAT IP to the Users I want to be able to
Ping so the Edge Router knows who to let have the Ping Replies.

Since the Edge router is not doing the NAT, I have a PIX behind it, it cant
know which of the Public IPs is in the 10.1.1.0/24 network.

Hmmm...

Thank you!

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:vGL5g.106651$WI1.61252@pd7tw2no...
> In article <9Cs5g.10504$(E-Mail Removed)> ,
> Scott Townsend <scott-i@.-N0-SPAMplease.enm.com> wrote:
>>On my Edge Router I have an Access list for ICMP as follows:

>
>>access-list 103 permit icmp any any time-exceeded
>>access-list 103 permit icmp any any port-unreachable
>>access-list 103 deny icmp any any
>>access-list 103 deny icmp any 0.0.0.0 255.255.255.0
>>access-list 103 deny icmp any 0.0.0.255 255.255.255.0
>>access-list 103 deny icmp any any redirect

>
> Which direction is that applied on?
>
>>I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but
>>not
>>a from anywhere else and would like to not allow anyone to Ping us.

>
> In the ACL applied out,
>
> permit icmp 10.1.1.0 0.0.0.255 any echo
>
> In the ACL applied in,
>
> permit icmp any PUBLIC_IP PUBLIC_MASK echo-reply
>
> [PUBLIC_IP PUBLIC_MASK for the case where you are NAT'ing, which you
> need to be doing because RFC1918 does not allow you to source packets
> in any of the reserved IP ranges past the edge of your network.]



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking for lots of words in lots of files brad Python 9 06-19-2008 07:59 AM
Junit teardown: how can I understand in teardown.. MeMi Java 4 05-22-2007 10:09 AM
Downloading lots and lots and lots of files coolneo Perl Misc 9 01-30-2007 02:34 PM
ACL: Does "permit IP" allow ICMP traffic like pings? chartscharts@yahoo.com Cisco 3 01-05-2007 02:54 PM
302014: Teardown TCP connection on pix 515 slhuillier.om@wanadoo.fr Cisco 2 04-19-2006 10:49 PM



Advertisments