Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > icmp weirdness - PIX 501 (does any really mean any??)

Reply
Thread Tools

icmp weirdness - PIX 501 (does any really mean any??)

 
 
news8080@yahoo.com
Guest
Posts: n/a
 
      09-23-2005
anyone care to take a poke at this?

pix501(config)# sh access-list out_in
access-list out_in; 5 elements
access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0
interface outside object-group TCP-21-THRU-137
access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0
interface outside range ftp 137 (hitcnt=0)
access-list out_in line 2 permit udp 192.168.4.0 255.255.255.0
interface outside eq netbios-ns (hitcnt=0)
access-list out_in line 3 permit tcp any interface outside eq 24
(hitcnt=0)
access-list out_in line 4 permit icmp interface outside any
object-group ICMP_REP
access-list out_in line 4 permit icmp interface outside any echo-reply
(hitcnt=0)
access-list out_in line 5 deny ip any any (hitcnt=13)
pix501(config)#

pix501(config)# sh object-gr icmp-type
object-group icmp-type ICMP_REP
icmp-object echo-reply

pix501(config)# sh nat
nat (inside) 0 access-list NAT0
nat (inside) 1 192.168.50.0 255.255.255.0 0 0

pix501(config)# sh icmp
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp deny any outside
pix501(config)# ping 64.233.167.104
64.233.167.104 response received -- 20ms
64.233.167.104 response received -- 40ms
64.233.167.104 response received -- 10ms

ip audit signature 2000 disable


here is the syslog entry from when I ping 64.233.167.104 from
192.168.50.7

Sep 23 03:08:43 pix Sep 23 2005 09:57:31: %PIX-4-106023: Deny icmp src
outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by
access-group "out_in"
Sep 23 03:08:44 pix Sep 23 2005 09:57:32: %PIX-4-106023: Deny icmp src
outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by
access-group "out_in"


I can't ping google from 192.168.50.7. I can browse to it (and all
other websites) but just can't ping. and no there is no fireall of any
kind running on 192.168.50.7 that blocks anything.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-23-2005
In article <(E-Mail Removed) .com>,
http://www.velocityreviews.com/forums/(E-Mail Removed) <(E-Mail Removed)> wrote:
:anyone care to take a poke at this?

ix501(config)# sh access-list out_in
>access-list out_in line 4 permit icmp interface outside any object-group ICMP_REP
>access-list out_in line 4 permit icmp interface outside any echo-reply (hitcnt=0)


You have the 'any' and 'interface outside' reversed.
The outside interface is never going to generate packets that it
tries to send "through" the PIX to "any" on the inside.
--
When Love is gone, there's always Justice.
When Justice is gone, there's always Force.
When Force is gone, there's always Mom. -- Laurie Anderson
 
Reply With Quote
 
 
 
 
news8080@yahoo.com
Guest
Posts: n/a
 
      09-23-2005
that did it, thanks

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 501 - allow icmp out but deny everything else out nicough@gmail.com Cisco 2 11-18-2006 03:44 PM
501 PIX "deny any any" "allow any any" Any Anybody? Networking Student Cisco 4 11-16-2006 10:40 PM
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... Scott Townsend Cisco 2 05-04-2006 02:31 PM
Pix 501 Icmp over VPN Yvick Cisco 3 05-30-2005 03:02 PM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM



Advertisments