Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > GRC and Cisco PIX 501

Reply
Thread Tools

GRC and Cisco PIX 501

 
 
Networking Student
Guest
Posts: n/a
 
      11-11-2006
Hi Folks,

I have a Cisco PIX 501 and now that it is up and running. I went to
test it out at GRC dot com using "Shields Up" on "Common Ports" and
received the following message:

Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP
Echo) requests, making it visible on the Internet. Most personal
firewalls can be configured to block, drop, and ignore such ping
requests in order to better hide systems from hackers. This is highly
recommended since "Ping" is among the oldest and most common methods
used to locate systems prior to further exploitation.

So I am wondering how I can block this as GRC states I should be able
to. Please be aware that I am very new at this and it was quite a task
for me to get up and running in the first place. I AM slowly figuring
things out though.

How can I block an ICMP ping request from the command line with a Cisco
PIX 501?

Thanks everyone.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-11-2006
In article <(E-Mail Removed). com>,
Networking Student <(E-Mail Removed)> wrote:

> I have a Cisco PIX 501 and now that it is up and running. I went to
>test it out at GRC dot com using "Shields Up" on "Common Ports" and
>received the following message:


Unfortunately, at the same time you did NOT receive a message suggesting
that you visit and think about the content at http://www.grcsucks.com

>Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP


>So I am wondering how I can block this as GRC states I should be able
>to.


ping of the firewall is controlled by the 'icmp' command.

>Please be aware that I am very new at this


When you block icmp echo to the PIX, be sure to still allow
icmp echo-reply and icmp time-exceeded and icmp unreachable .

Also note that if you have no icmp command applied to the outside
interface, then all icmp is permitted to the PIX itself, but
if you put in even one icmp command applied to the outside interface
then that default permit no longer applies and you must specify
everything you want to permit to the PIX.

The icmp command only applies to icmp sent to the PIX outside
interface IP -- but that includes the case where you are using
global (outside) interface to PAT all the inside traffic to the
outside IP. In the more general case where you have several IPs
in your global pool, or have static commands to multiple outside IPs,
then the icmp command does not apply to those: traffic addressed
to any IP other than the outside interface IP is controlled
by the access-group applied to the outside interface.
 
Reply With Quote
 
 
 
 
Uli Link
Guest
Posts: n/a
 
      11-11-2006
Networking Student schrieb:

> I have a Cisco PIX 501 and now that it is up and running. I went to
> test it out at GRC dot com using "Shields Up" on "Common Ports" and
> received the following message:
>
> Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP
> Echo) requests, making it visible on the Internet. Most personal
> firewalls can be configured to block, drop, and ignore such ping
> requests in order to better hide systems from hackers. This is highly
> recommended since "Ping" is among the oldest and most common methods
> used to locate systems prior to further exploitation.


Hiding ICMP is a very weak and obscure countermeasure.
So if you think you'll need to hide your firewall from the internet better
- buy a better firewall
- or disconnect it from the public internet

ICMP is not only used for exploring the network, it is also needed for
discovering the path MTU for e.g.

If you don't wan't your firewall responding to icmp echo-reply (don't
answer "ping") be sure to allow all needed icmp subtypes.

Best is to simply ignore this stupid warning and read Walter's answer to
your question.

--
Uli

 
Reply With Quote
 
Networking Student
Guest
Posts: n/a
 
      11-12-2006

Uli Link wrote:
> Networking Student schrieb:
>
> > I have a Cisco PIX 501 and now that it is up and running. I went to
> > test it out at GRC dot com using "Shields Up" on "Common Ports" and
> > received the following message:
> >
> > Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP
> > Echo) requests, making it visible on the Internet. Most personal
> > firewalls can be configured to block, drop, and ignore such ping
> > requests in order to better hide systems from hackers. This is highly
> > recommended since "Ping" is among the oldest and most common methods
> > used to locate systems prior to further exploitation.

>
> Hiding ICMP is a very weak and obscure countermeasure.
> So if you think you'll need to hide your firewall from the internet better
> - buy a better firewall
> - or disconnect it from the public internet
>
> ICMP is not only used for exploring the network, it is also needed for
> discovering the path MTU for e.g.
>
> If you don't wan't your firewall responding to icmp echo-reply (don't
> answer "ping") be sure to allow all needed icmp subtypes.
>
> Best is to simply ignore this stupid warning and read Walter's answer to
> your question.
>
> --
> Uli


I understand and I appreciate everyones help thus far especially yours
Walter. I had read a few negative things about GRC but now there is
little doubt that its not a good place for quality information.

 
Reply With Quote
 
Uli Link
Guest
Posts: n/a
 
      11-13-2006
Networking Student schrieb:
>> So if you think you'll need to hide your firewall from the internet better
>> - buy a better firewall
>> - or disconnect it from the public internet
>> Best is to simply ignore this stupid warning and read Walter's answer to
>> your question.
>>


>
> I understand and I appreciate everyones help thus far especially yours
> Walter. I had read a few negative things about GRC but now there is
> little doubt that its not a good place for quality information.
>


GRC is really o.k. for a Windooze newbie for the first time connected to
the internet. It is also o.k. for verfying your 10$ new-in-box DSL
router bought at your local super market.

It was not designed for professional equipment needing a professional
configuration.

--
Uli
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question on Grc.com's Clickey utility and memory Smith Corona Computer Support 4 12-31-2006 05:56 PM
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
Posting to GRC Newsgroups sharonf Computer Support 5 03-15-2006 07:27 PM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Cisco VPN through a PIX 501 to another PIX? Andrew J Instone-Cowie Cisco 5 01-22-2004 05:44 PM



Advertisments