basic pix 7.0(1) icmp question

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

basic pix 7.0(1) icmp question

mak

07-18-2007

Re: basic pix 7.0(1) icmp question

mak

07-18-2007

Re: basic pix 7.0(1) icmp question

Jens Hoffmann

07-18-2007

Re: basic pix 7.0(1) icmp question

mak

07-19-2007

Re: basic pix 7.0(1) icmp question

Jens Hoffmann

07-19-2007

Re: basic pix 7.0(1) icmp question

Walter Roberson

07-22-2007

Posted by mak on July 18, 2007, 3:09 am

If you were Registered and logged in, you could reply and use other advanced thread options

this should not be a challange...

i want to deny icmp to the outside interface:

access-list acl_outside; 4 elements
access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq ftp
(hitcnt=3531)
access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq www
(hitcnt=36336)
access-list acl_outside line 3 extended permit tcp any host 1.2.3.4 eq 81
(hitcnt=2130)
access-list acl_outside line 4 extended deny icmp any interface outside
(hitcnt=0)

my ping to the outside interface is still being answered...
what's going on?

PS:
I would like to allow ping to inside host, and would add:

access-list acl_outside extended permit icmp any host 1.2.3.4

correct?

Posted by mak on July 18, 2007, 6:15 am

If you were Registered and logged in, you could reply and use other advanced thread options

mak wrote:

> this should not be a challange...

> i want to deny icmp to the outside interface:

> access-list acl_outside; 4 elements

> access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq

> ftp (hitcnt=3531)

> access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq

> www (hitcnt=36336)

> access-list acl_outside line 3 extended permit tcp any host 1.2.3.4 eq

> 81 (hitcnt=2130)

> access-list acl_outside line 4 extended deny icmp any interface outside

> (hitcnt=0)

> my ping to the outside interface is still being answered...

> what's going on?

> PS:

> I would like to allow ping to inside host, and would add:

> access-list acl_outside extended permit icmp any host 1.2.3.4

> correct?

found the problem:
icmp deny any outside

Posted by Jens Hoffmann on July 18, 2007, 12:24 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> found the problem:

> icmp deny any outside

Doesn't this forbid any icmp message?

like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very
seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION
UNREACHABLE".

But you are probably sure, that you want to do a blind network flight.

Cheers,
Jens

Posted by mak on July 19, 2007, 1:49 am

If you were Registered and logged in, you could reply and use other advanced thread options

Jens Hoffmann wrote:

>> found the problem:

>> icmp deny any outside

> Doesn't this forbid any icmp message?

> like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very

> seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION

> UNREACHABLE".

> But you are probably sure, that you want to do a blind network flight.

> Cheers,

> Jens

yes it does, but customer wants it that way ...

Posted by Jens Hoffmann on July 19, 2007, 12:18 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> yes it does, but customer wants it that way ...

Make sure to have a small note signed, that he is aware
of the fact, that he will have problems in the future.

Cheers,
Jens

Similar Threads	Posted
Basic NAT question	December 16, 2005, 5:56 am
Basic Firewall Question	December 4, 2006, 3:34 pm
Newbie: basic "economy" network configuration question; internal email servers	November 16, 2004, 7:04 am
Basic firewall help	June 30, 2005, 7:48 am
A very basic doubt	October 17, 2005, 2:17 am
Can't install basic ZA 7.1	June 26, 2007, 8:49 am
Firebox II Basic Setup	December 14, 2005, 10:09 am
basic questions on iptables	May 18, 2006, 12:08 am
New to firewalls - need some advice for basic beginner.	September 21, 2007, 7:49 pm
NETGEAR RP614 ok protection for basic surfing??	November 9, 2007, 8:25 am

The site map in XML format XML site map