Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them....

Discussion in 'Cisco' started by Scott Townsend, May 1, 2006.

  1. On my Edge Router I have an Access list for ICMP as follows:

    access-list 103 permit icmp any any time-exceeded
    access-list 103 permit icmp any any port-unreachable
    access-list 103 deny icmp any any
    access-list 103 deny icmp any 0.0.0.0 255.255.255.0
    access-list 103 deny icmp any 0.0.0.255 255.255.255.0
    access-list 103 deny icmp any any redirect


    On the PIX Firewall, I have the Following:

    access-list acl_outside extended permit icmp any any echo-reply
    access-list acl_outside extended permit icmp any any time-exceeded
    access-list acl_outside extended permit icmp any any unreachable

    On my PIX log I get hundreds of the Following

    %PIX-6-302020: Built ICMP connection for faddr 82.160.189.125/0 gaddr
    A.B.C.D/0 laddr 10.10.3.10/0
    %PIX-6-302021: Teardown ICMP connection for faddr 83.79.179.113/0 gaddr
    A.B.C.D/0 laddr 10.10.3.10/0

    The Address A.B.C.D/0 laddr 10.10.3.10/0 has been caught using a Sharing
    program. I've turned off Port 6346/6347 on the Edge Router, but I'm still
    getting the Built and Teardowns.

    I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but not
    a from anywhere else and would like to not allow anyone to Ping us.

    What should I change?

    Thanks,
    Scott<-
     
    Scott Townsend, May 1, 2006
    #1
    1. Advertising

  2. In article <9Cs5g.10504$>,
    Scott Townsend <scott-i@.-N0-SPAMplease.enm.com> wrote:
    >On my Edge Router I have an Access list for ICMP as follows:


    >access-list 103 permit icmp any any time-exceeded
    >access-list 103 permit icmp any any port-unreachable
    >access-list 103 deny icmp any any
    >access-list 103 deny icmp any 0.0.0.0 255.255.255.0
    >access-list 103 deny icmp any 0.0.0.255 255.255.255.0
    >access-list 103 deny icmp any any redirect


    Which direction is that applied on?

    >I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but not
    >a from anywhere else and would like to not allow anyone to Ping us.


    In the ACL applied out,

    permit icmp 10.1.1.0 0.0.0.255 any echo

    In the ACL applied in,

    permit icmp any PUBLIC_IP PUBLIC_MASK echo-reply

    [PUBLIC_IP PUBLIC_MASK for the case where you are NAT'ing, which you
    need to be doing because RFC1918 does not allow you to source packets
    in any of the reserved IP ranges past the edge of your network.]
     
    Walter Roberson, May 2, 2006
    #2
    1. Advertising

  3. > Which direction is that applied on?
    interface MFR0.672 point-to-point
    description WAN to SBC Internet Service
    ip access-group 103 in


    So should I be applying this to the MFR0 or Ethernet Interface??


    I think I have a Few Issues.

    I guess I Have to assign a Static NAT IP to the Users I want to be able to
    Ping so the Edge Router knows who to let have the Ping Replies.

    Since the Edge router is not doing the NAT, I have a PIX behind it, it cant
    know which of the Public IPs is in the 10.1.1.0/24 network.

    Hmmm...

    Thank you!

    "Walter Roberson" <> wrote in message
    news:vGL5g.106651$WI1.61252@pd7tw2no...
    > In article <9Cs5g.10504$>,
    > Scott Townsend <scott-i@.-N0-SPAMplease.enm.com> wrote:
    >>On my Edge Router I have an Access list for ICMP as follows:

    >
    >>access-list 103 permit icmp any any time-exceeded
    >>access-list 103 permit icmp any any port-unreachable
    >>access-list 103 deny icmp any any
    >>access-list 103 deny icmp any 0.0.0.0 255.255.255.0
    >>access-list 103 deny icmp any 0.0.0.255 255.255.255.0
    >>access-list 103 deny icmp any any redirect

    >
    > Which direction is that applied on?
    >
    >>I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but
    >>not
    >>a from anywhere else and would like to not allow anyone to Ping us.

    >
    > In the ACL applied out,
    >
    > permit icmp 10.1.1.0 0.0.0.255 any echo
    >
    > In the ACL applied in,
    >
    > permit icmp any PUBLIC_IP PUBLIC_MASK echo-reply
    >
    > [PUBLIC_IP PUBLIC_MASK for the case where you are NAT'ing, which you
    > need to be doing because RFC1918 does not allow you to source packets
    > in any of the reserved IP ranges past the edge of your network.]
     
    Scott Townsend, May 4, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott Townsend
    Replies:
    3
    Views:
    1,128
    Javier Henderson
    Oct 8, 2004
  2. Replies:
    2
    Views:
    24,112
    Mark Williams
    Apr 19, 2006
  3. Ulf Tropp
    Replies:
    0
    Views:
    2,002
    Ulf Tropp
    Nov 28, 2006
  4. Replies:
    3
    Views:
    5,857
    Walter Roberson
    Jan 5, 2007
  5. Martin
    Replies:
    9
    Views:
    625
    dadiOH
    Jan 14, 2007
Loading...

Share This Page