Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Basic question: Pix & ICMP echo replies

Reply
Thread Tools

Basic question: Pix & ICMP echo replies

 
 
Jesper Jenssen
Guest
Posts: n/a
 
      11-21-2003
Dear group, I'm pretty much stuck with a fairly basic problem. Pix 501
(6.3). I'd like to ping from the inside to the outside, and have done
everything using the documents. I must be doing something wrong. How do I
allow pings to pass through the pix, and be able to receive the replies. Any
help would be appreciated. I know it is simple, but I can;t figure it out
Jesper


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-21-2003
In article <3fbe84ef$0$1506$(E-Mail Removed)4all.nl>,
Jesper Jenssen <(E-Mail Removed)> wrote:
ear group, I'm pretty much stuck with a fairly basic problem. Pix 501
6.3). I'd like to ping from the inside to the outside, and have done
:everything using the documents. I must be doing something wrong. How do I
:allow pings to pass through the pix, and be able to receive the replies. Any
:help would be appreciated. I know it is simple, but I can;t figure it out

First, you cannot ping the outside interface of the PIX itself from
the inside network -- the PIX won't answer those.

Second, the way to control what the PIX itself does for icmp is
through the 'icmp' command.

Third, the way to control the passage of icmp -through- the PIX is
by access-lists.

6.3 made some improvements in Adaptive Security for icmp, but the PIX
still has trouble automatically recognizing responses. For now, you
are better off configuring the access lists so that icmp responses are
treated as if they were new icmp.


: block RFC1918 private address ranges and other stuff that should not exist
access-list out2in deny ip 192.168.0.0 255.255.0.0 any
access-list out2in deny ip 172.16.0.0 255.240.0.0 any
access-list out2in deny ip 10.0.0.0 255.0.0.0 any
access-list out2in deny ip 127.0.0.0 255.0.0.0 any
: and so on

access-list out2in permit icmp any any echo-reply
access-list out2in permit icmp any any unreachable
access-list out2in permit icmp any any time-exceeded
: and other traffic to servers here

access-list out2in in interface outside


If you have no access-list applied to the inside interface, the
default is to let all traffic out, but if you want finer control than
that,


: block RFC1918 private address ranges and other stuff that should not exist
access-list in2out deny ip any 192.168.0.0 255.255.0.0
access-list in2out deny ip any 172.16.0.0 255.240.0.0
access-list in2out deny ip any 10.0.0.0 255.0.0.0
access-list in2out deny ip any 127.0.0.0 255.0.0.0
: and so on

access-list in2out permit icmp any any echo
access-list in2out permit icmp any any unreachable
access-list in2out permit icmp any any time-exceeded
: and any other traffic to the outside here -- caution, default is to deny!

access-list in2out in interface inside
--
Rome was built one paycheck at a time. -- Walter Roberson
 
Reply With Quote
 
 
 
 
Jesper Jenssen
Guest
Posts: n/a
 
      11-21-2003

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> schreef in bericht
news:bpm44o$efu$(E-Mail Removed)...

>
> : block RFC1918 private address ranges and other stuff that should not

exist
> access-list out2in deny ip 192.168.0.0 255.255.0.0 any
> access-list out2in deny ip 172.16.0.0 255.240.0.0 any
> access-list out2in deny ip 10.0.0.0 255.0.0.0 any
> access-list out2in deny ip 127.0.0.0 255.0.0.0 any
> : and so on
>
> access-list out2in permit icmp any any echo-reply
> access-list out2in permit icmp any any unreachable
> access-list out2in permit icmp any any time-exceeded
> : and other traffic to servers here
>
> access-list out2in in interface outside
>


Thanks! That did the trick, even better, I now understand what I was doing
wrong. Just to make sure that I don't completely mess up: didn't you mean
access-group out2in in interface outside?

Thanks again, it is a great feeling that it really works after struggling
for hours!
Jesper


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-21-2003
In article <3fbe9979$0$1500$(E-Mail Removed)4all.nl>,
Jesper Jenssen <(E-Mail Removed)> wrote:
:Just to make sure that I don't completely mess up: didn't you mean
:access-group out2in in interface outside?

Opps, yes.
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald Knuth
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Thunderbird wraps plain text replies but not Opera Mail HTML replies janet Computer Support 11 12-17-2007 01:00 AM
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... Scott Townsend Cisco 2 05-04-2006 02:31 PM
PIX - Disable Ping / ICMP replies from outside interface David Cisco 3 07-21-2005 06:34 AM
permit only outbound icmp requests and inbound replies, deny other Mark Matheney Cisco 1 12-10-2003 02:00 PM
echo echo echo craig judd Computer Support 1 09-23-2003 08:53 PM



Advertisments