GRC and Cisco PIX 501

Discussion in 'Cisco' started by Networking Student, Nov 11, 2006.

  1. Hi Folks,

    I have a Cisco PIX 501 and now that it is up and running. I went to
    test it out at GRC dot com using "Shields Up" on "Common Ports" and
    received the following message:

    Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP
    Echo) requests, making it visible on the Internet. Most personal
    firewalls can be configured to block, drop, and ignore such ping
    requests in order to better hide systems from hackers. This is highly
    recommended since "Ping" is among the oldest and most common methods
    used to locate systems prior to further exploitation.

    So I am wondering how I can block this as GRC states I should be able
    to. Please be aware that I am very new at this and it was quite a task
    for me to get up and running in the first place. I AM slowly figuring
    things out though.

    How can I block an ICMP ping request from the command line with a Cisco
    PIX 501?

    Thanks everyone.
    Networking Student, Nov 11, 2006
    #1
    1. Advertising

  2. In article <>,
    Networking Student <> wrote:

    > I have a Cisco PIX 501 and now that it is up and running. I went to
    >test it out at GRC dot com using "Shields Up" on "Common Ports" and
    >received the following message:


    Unfortunately, at the same time you did NOT receive a message suggesting
    that you visit and think about the content at http://www.grcsucks.com

    >Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP


    >So I am wondering how I can block this as GRC states I should be able
    >to.


    ping of the firewall is controlled by the 'icmp' command.

    >Please be aware that I am very new at this


    When you block icmp echo to the PIX, be sure to still allow
    icmp echo-reply and icmp time-exceeded and icmp unreachable .

    Also note that if you have no icmp command applied to the outside
    interface, then all icmp is permitted to the PIX itself, but
    if you put in even one icmp command applied to the outside interface
    then that default permit no longer applies and you must specify
    everything you want to permit to the PIX.

    The icmp command only applies to icmp sent to the PIX outside
    interface IP -- but that includes the case where you are using
    global (outside) interface to PAT all the inside traffic to the
    outside IP. In the more general case where you have several IPs
    in your global pool, or have static commands to multiple outside IPs,
    then the icmp command does not apply to those: traffic addressed
    to any IP other than the outside interface IP is controlled
    by the access-group applied to the outside interface.
    Walter Roberson, Nov 11, 2006
    #2
    1. Advertising

  3. Networking Student

    Uli Link Guest

    Networking Student schrieb:

    > I have a Cisco PIX 501 and now that it is up and running. I went to
    > test it out at GRC dot com using "Shields Up" on "Common Ports" and
    > received the following message:
    >
    > Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP
    > Echo) requests, making it visible on the Internet. Most personal
    > firewalls can be configured to block, drop, and ignore such ping
    > requests in order to better hide systems from hackers. This is highly
    > recommended since "Ping" is among the oldest and most common methods
    > used to locate systems prior to further exploitation.


    Hiding ICMP is a very weak and obscure countermeasure.
    So if you think you'll need to hide your firewall from the internet better
    - buy a better firewall
    - or disconnect it from the public internet

    ICMP is not only used for exploring the network, it is also needed for
    discovering the path MTU for e.g.

    If you don't wan't your firewall responding to icmp echo-reply (don't
    answer "ping") be sure to allow all needed icmp subtypes.

    Best is to simply ignore this stupid warning and read Walter's answer to
    your question.

    --
    Uli
    Uli Link, Nov 11, 2006
    #3
  4. Uli Link wrote:
    > Networking Student schrieb:
    >
    > > I have a Cisco PIX 501 and now that it is up and running. I went to
    > > test it out at GRC dot com using "Shields Up" on "Common Ports" and
    > > received the following message:
    > >
    > > Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP
    > > Echo) requests, making it visible on the Internet. Most personal
    > > firewalls can be configured to block, drop, and ignore such ping
    > > requests in order to better hide systems from hackers. This is highly
    > > recommended since "Ping" is among the oldest and most common methods
    > > used to locate systems prior to further exploitation.

    >
    > Hiding ICMP is a very weak and obscure countermeasure.
    > So if you think you'll need to hide your firewall from the internet better
    > - buy a better firewall
    > - or disconnect it from the public internet
    >
    > ICMP is not only used for exploring the network, it is also needed for
    > discovering the path MTU for e.g.
    >
    > If you don't wan't your firewall responding to icmp echo-reply (don't
    > answer "ping") be sure to allow all needed icmp subtypes.
    >
    > Best is to simply ignore this stupid warning and read Walter's answer to
    > your question.
    >
    > --
    > Uli


    I understand and I appreciate everyones help thus far especially yours
    Walter. I had read a few negative things about GRC but now there is
    little doubt that its not a good place for quality information.
    Networking Student, Nov 12, 2006
    #4
  5. Networking Student

    Uli Link Guest

    Networking Student schrieb:
    >> So if you think you'll need to hide your firewall from the internet better
    >> - buy a better firewall
    >> - or disconnect it from the public internet
    >> Best is to simply ignore this stupid warning and read Walter's answer to
    >> your question.
    >>


    >
    > I understand and I appreciate everyones help thus far especially yours
    > Walter. I had read a few negative things about GRC but now there is
    > little doubt that its not a good place for quality information.
    >


    GRC is really o.k. for a Windooze newbie for the first time connected to
    the internet. It is also o.k. for verfying your 10$ new-in-box DSL
    router bought at your local super market.

    It was not designed for professional equipment needing a professional
    configuration.

    --
    Uli
    Uli Link, Nov 13, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    711
    Andre
    Feb 20, 2005
  2. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    644
    Walter Roberson
    May 20, 2006
  3. Terry Cole
    Replies:
    0
    Views:
    393
    Terry Cole
    Jan 18, 2007
  4. sharonf

    Posting to GRC Newsgroups

    sharonf, Mar 15, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    618
    sharonf
    Mar 15, 2006
  5. Smith Corona

    Question on Grc.com's Clickey utility and memory

    Smith Corona, Dec 28, 2006, in forum: Computer Support
    Replies:
    4
    Views:
    551
    Mr. Arnold
    Dec 31, 2006
Loading...

Share This Page