icmp type 11 cause pix to deny traffic

Discussion in 'Cisco' started by Drx, Jul 27, 2005.

  1. Drx

    Drx Guest

    Is it possible that icmp type 11 code 0 cause pix to drop traffic?

    After

    %PIX-3-313001: Denied ICMP type=11, code=0 from x.x.x.6 on interface
    inside

    access list denies traffic it otherwise passes
    Drx, Jul 27, 2005
    #1
    1. Advertising

  2. Drx

    rave Guest

    check the access-list once again.
    rave, Aug 2, 2005
    #2
    1. Advertising

  3. Drx

    Drx Guest

    On 1 Aug 2005 16:32:29 -0700, rave wrote:

    > check the access-list once again.


    I did, belive me I did. I am using IPSEC tunnels and everything works ok
    until this ICMKP type 11 shows up. After that UDP from ipsec peers port 500
    is denied
    Drx, Aug 2, 2005
    #3
  4. In article <1n9dp7cqf3fas$>,
    Drx <> wrote:
    :I did, belive me I did. I am using IPSEC tunnels and everything works ok
    :until this ICMKP type 11 shows up. After that UDP from ipsec peers port 500
    :is denied

    icmp 11/0 is TTL Exceeded.

    Your original posting had this being recorded as generated by
    x.x.x.6 and detected by the PIX.

    For the denied udp 500 packets, are they destined for x.x.x.6 ?

    Is that host NAT'd, or static'd to itself, or nat 0'd or
    nat 0 access-list'd ?

    Do you have isakmp nat-traversal 20 turned on?
    --
    "I will speculate that [...] applications [...] could actually see a
    performance boost for most users by going dual-core [...] because it
    is running the adware and spyware that [...] are otherwise slowing
    down the single CPU that user has today" -- Herb Sutter
    Walter Roberson, Aug 3, 2005
    #4
  5. Drx

    Guest

    On Wed, 3 Aug 2005 15:21:13 +0000 (UTC), Walter Roberson wrote:

    > In article <1n9dp7cqf3fas$>,
    > Drx <> wrote:
    >:I did, belive me I did. I am using IPSEC tunnels and everything works ok
    >:until this ICMKP type 11 shows up. After that UDP from ipsec peers port 500
    >:is denied
    >
    > icmp 11/0 is TTL Exceeded.
    >
    > Your original posting had this being recorded as generated by
    > x.x.x.6 and detected by the PIX.
    >
    > For the denied udp 500 packets, are they destined for x.x.x.6 ?
    >
    > Is that host NAT'd, or static'd to itself, or nat 0'd or
    > nat 0 access-list'd ?
    >
    > Do you have isakmp nat-traversal 20 turned on?


    x.x.x.6 is router from wich peers are coming. x.x.x.5 is outside int of
    pix. peer packets are destined for x.x.x.5, pix interface. I do not have
    isakmp nat-traversla because peers are not nat-ed. I must point out that
    everthing is working fine for some time. I do not understand how can it
    works fine for 20 hours or so and then stops working.

    thanks
    , Aug 3, 2005
    #5
  6. In article <>, <> wrote:
    :x.x.x.6 is router from wich peers are coming. x.x.x.5 is outside int of
    :pix. peer packets are destined for x.x.x.5, pix interface.

    I just wandered across your initial thread, with your config, which
    showed you are using PIX 7.0. It's good to indicate version numbers with
    each thread, as people might not have read the other thread (or might
    not make the mention connection between the two.)

    Anyhow, I notice that the IDS message you are getting, notifying
    of the ICMP 11/0, is against the *inside* interface, but your router
    x.x.x.6 is on your *outside* interface (if I have understood correctly.)
    This suggests that something inside is spoofing the router address,
    and that the PIX is getting confused by that.

    You might want to turn on the PIX 7.0 equivilent of reverse path
    verification.
    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
    Walter Roberson, Aug 3, 2005
    #6
  7. Drx

    Guest

    On Wed, 3 Aug 2005 18:07:59 +0000 (UTC), Walter Roberson wrote:

    > In article <>, <> wrote:
    > :x.x.x.6 is router from wich peers are coming. x.x.x.5 is outside int of
    > :pix. peer packets are destined for x.x.x.5, pix interface.
    >
    > I just wandered across your initial thread, with your config, which
    > showed you are using PIX 7.0. It's good to indicate version numbers with
    > each thread, as people might not have read the other thread (or might
    > not make the mention connection between the two.)
    >
    > Anyhow, I notice that the IDS message you are getting, notifying
    > of the ICMP 11/0, is against the *inside* interface, but your router
    > x.x.x.6 is on your *outside* interface (if I have understood correctly.)
    > This suggests that something inside is spoofing the router address,
    > and that the PIX is getting confused by that.
    >
    > You might want to turn on the PIX 7.0 equivilent of reverse path
    > verification.


    yes you understood correctly, message indicates traffic against inside
    interface. It was strange to me also, I will go in antispoof direction :))
    but mybe something is wrong with pix code.
    , Aug 3, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Matheney
    Replies:
    1
    Views:
    850
  2. tercex11
    Replies:
    18
    Views:
    1,707
  3. Scott Townsend
    Replies:
    2
    Views:
    10,051
    Scott Townsend
    May 4, 2006
  4. Replies:
    2
    Views:
    682
    Rohan
    Nov 18, 2006
  5. ProXXio
    Replies:
    0
    Views:
    1,911
    ProXXio
    Jan 13, 2011
Loading...

Share This Page