basic pix 7.0(1) icmp question - Firewalls

This is a discussion on basic pix 7.0(1) icmp question - Firewalls ; this should not be a challange... i want to deny icmp to the outside interface: access-list acl_outside; 4 elements access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq ftp (hitcnt=3531) access-list acl_outside line 2 extended permit tcp any ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: basic pix 7.0(1) icmp question

  1. basic pix 7.0(1) icmp question

    this should not be a challange...

    i want to deny icmp to the outside interface:

    access-list acl_outside; 4 elements
    access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq ftp (hitcnt=3531)
    access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq www (hitcnt=36336)
    access-list acl_outside line 3 extended permit tcp any host 1.2.3.4 eq 81 (hitcnt=2130)
    access-list acl_outside line 4 extended deny icmp any interface outside (hitcnt=0)

    my ping to the outside interface is still being answered...
    what's going on?

    PS:
    I would like to allow ping to inside host, and would add:

    access-list acl_outside extended permit icmp any host 1.2.3.4

    correct?

  2. Re: basic pix 7.0(1) icmp question

    mak wrote:
    > this should not be a challange...
    >
    > i want to deny icmp to the outside interface:
    >
    > access-list acl_outside; 4 elements
    > access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq
    > ftp (hitcnt=3531)
    > access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq
    > www (hitcnt=36336)
    > access-list acl_outside line 3 extended permit tcp any host 1.2.3.4 eq
    > 81 (hitcnt=2130)
    > access-list acl_outside line 4 extended deny icmp any interface outside
    > (hitcnt=0)
    >
    > my ping to the outside interface is still being answered...
    > what's going on?
    >
    > PS:
    > I would like to allow ping to inside host, and would add:
    >
    > access-list acl_outside extended permit icmp any host 1.2.3.4
    >
    > correct?



    found the problem:
    icmp deny any outside

  3. Re: basic pix 7.0(1) icmp question


    > found the problem:
    > icmp deny any outside


    Doesn't this forbid any icmp message?

    like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very
    seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION
    UNREACHABLE".

    But you are probably sure, that you want to do a blind network flight.

    Cheers,
    Jens

  4. Re: basic pix 7.0(1) icmp question

    Jens Hoffmann wrote:
    >> found the problem:
    >> icmp deny any outside

    >
    > Doesn't this forbid any icmp message?
    >
    > like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very
    > seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION
    > UNREACHABLE".
    >
    > But you are probably sure, that you want to do a blind network flight.
    >
    > Cheers,
    > Jens

    yes it does, but customer wants it that way ...

  5. Re: basic pix 7.0(1) icmp question


    > yes it does, but customer wants it that way ...


    Make sure to have a small note signed, that he is aware
    of the fact, that he will have problems in the future.

    Cheers,
    Jens

  6. Re: basic pix 7.0(1) icmp question

    In article <5g6t6lF3fb58nU1@mid.uni-berlin.de>,
    Jens Hoffmann wrote:

    >> found the problem:
    >> icmp deny any outside


    >Doesn't this forbid any icmp message?


    >like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very
    >seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION
    >UNREACHABLE".


    Yes, but only to the PIX itself. The 'icmp' command only controls
    the ICMP messages that the PIX handles on its own behalf; for ICMP
    messages headed to hosts "inside", access-group has control.

+ Reply to Thread