icmp weirdness - PIX 501 (does any really mean any??)

Discussion in 'Cisco' started by news8080, Sep 23, 2005.

  1. news8080

    news8080 Guest

    anyone care to take a poke at this?

    pix501(config)# sh access-list out_in
    access-list out_in; 5 elements
    access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0
    interface outside object-group TCP-21-THRU-137
    access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0
    interface outside range ftp 137 (hitcnt=0)
    access-list out_in line 2 permit udp 192.168.4.0 255.255.255.0
    interface outside eq netbios-ns (hitcnt=0)
    access-list out_in line 3 permit tcp any interface outside eq 24
    (hitcnt=0)
    access-list out_in line 4 permit icmp interface outside any
    object-group ICMP_REP
    access-list out_in line 4 permit icmp interface outside any echo-reply
    (hitcnt=0)
    access-list out_in line 5 deny ip any any (hitcnt=13)
    pix501(config)#

    pix501(config)# sh object-gr icmp-type
    object-group icmp-type ICMP_REP
    icmp-object echo-reply

    pix501(config)# sh nat
    nat (inside) 0 access-list NAT0
    nat (inside) 1 192.168.50.0 255.255.255.0 0 0

    pix501(config)# sh icmp
    icmp permit any unreachable outside
    icmp permit any echo-reply outside
    icmp deny any outside
    pix501(config)# ping 64.233.167.104
    64.233.167.104 response received -- 20ms
    64.233.167.104 response received -- 40ms
    64.233.167.104 response received -- 10ms

    ip audit signature 2000 disable


    here is the syslog entry from when I ping 64.233.167.104 from
    192.168.50.7

    Sep 23 03:08:43 pix Sep 23 2005 09:57:31: %PIX-4-106023: Deny icmp src
    outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by
    access-group "out_in"
    Sep 23 03:08:44 pix Sep 23 2005 09:57:32: %PIX-4-106023: Deny icmp src
    outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by
    access-group "out_in"


    I can't ping google from 192.168.50.7. I can browse to it (and all
    other websites) but just can't ping. and no there is no fireall of any
    kind running on 192.168.50.7 that blocks anything.
     
    news8080, Sep 23, 2005
    #1
    1. Advertisements

  2. :anyone care to take a poke at this?

    :pix501(config)# sh access-list out_in
    You have the 'any' and 'interface outside' reversed.
    The outside interface is never going to generate packets that it
    tries to send "through" the PIX to "any" on the inside.
     
    Walter Roberson, Sep 23, 2005
    #2
    1. Advertisements

  3. news8080

    news8080 Guest

    that did it, thanks
     
    news8080, Sep 23, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.