Cisco Systems Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them....
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... Scott Townsend 05-01-06
Posted by Scott Townsend on May 1, 2006, 2:40 pm
Please log in for more thread options
On my Edge Router I have an Access list for ICMP as follows:

access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any port-unreachable
access-list 103 deny   icmp any any
access-list 103 deny   icmp any 0.0.0.0 255.255.255.0
access-list 103 deny   icmp any 0.0.0.255 255.255.255.0
access-list 103 deny   icmp any any redirect


On the PIX Firewall, I have the Following:

access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit icmp any any unreachable

On my PIX log I get hundreds of the Following

%PIX-6-302020: Built ICMP connection for faddr 82.160.189.125/0 gaddr
A.B.C.D/0 laddr 10.10.3.10/0
%PIX-6-302021: Teardown ICMP connection for faddr 83.79.179.113/0 gaddr
A.B.C.D/0 laddr 10.10.3.10/0

The Address A.B.C.D/0 laddr 10.10.3.10/0 has been caught using a Sharing
program. I've turned off Port 6346/6347 on the Edge Router, but I'm still
getting the Built and Teardowns.

I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but not
a from anywhere else and would like to not allow anyone to Ping us.

What should I change?

Thanks,
  Scott<-



Posted by Walter Roberson on May 2, 2006, 12:21 pm
Please log in for more thread options

Which direction is that applied on?


In the ACL applied out,

permit icmp 10.1.1.0 0.0.0.255 any echo

In the ACL applied in,

permit icmp any PUBLIC_IP PUBLIC_MASK echo-reply

[PUBLIC_IP PUBLIC_MASK for the case where you are NAT'ing, which you
need to be doing because RFC1918 does not allow you to source packets
in any of the reserved IP ranges past the edge of your network.]

Posted by Scott Townsend on May 4, 2006, 10:31 am
Please log in for more thread options

interface MFR0.672 point-to-point
 description WAN to SBC Internet Service
 ip access-group 103 in


So should I be applying this to the MFR0 or Ethernet Interface??


I think I have a Few Issues.

I guess I Have to assign a Static NAT IP to the Users I want to be able to
Ping so the Edge Router knows who to let have the Ping Replies.

Since the Edge router is not doing the NAT, I have a PIX behind it, it cant
know which of the Public IPs is in the 10.1.1.0/24 network.

Hmmm...

Thank you!



Similar ThreadsPosted
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... May 1, 2006, 2:40 pm
ACL: Does "permit IP" allow ICMP traffic like pings? January 4, 2007, 12:01 pm
log messages about icmp denied June 13, 2010, 8:11 am
Up->Down messages related to ip sla icmp-echo when there are no apparent network issues April 29, 2009, 11:58 am
IP SLA - ICMP June 5, 2008, 3:55 am
icmp weirdness - PIX 501 (does any really mean any??) September 23, 2005, 10:12 am
timestamp ICMP ? April 16, 2006, 11:45 pm
ICMP pinging. October 3, 2006, 7:22 am
PIX 501 - allow icmp out but deny everything else out November 18, 2006, 1:49 am
PIX 6.3.4 - I have question on a VPN setup & ICMP August 26, 2005, 11:08 am
PIX7.x/ASA and icmp redirects April 19, 2006, 12:30 am
ICMP access list October 9, 2006, 10:55 am
Cisco icmp problems April 13, 2007, 12:32 pm
ICMP Redirect Query? February 24, 2008, 4:44 pm
ASA, static, icmp and inspect FTP August 22, 2008, 5:11 am
Latest PostsForumRSS
NEWS: Samsung takes on the Apple iPad with the 7 inch Galaxy... Wireless Networking
c3560 port configuration Cisco Systems
Broadband 2010: A Big Slowdown [telecom] General Telecommunications Forum
Control Hot Water Circ Pump With X10? General Home Automation
Official Course CCNP TSHOOT 642-832 / Foundation Learning Gu... Cisco Certification
Speedflow Communications Honored for Innovation Voice-Over-IP
USB _to_ RJ45 (not from) connection Ethernet LAN
FAQ: Maximizing cable modem or DSL speed Cable Modems
CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MOR... Telecom Technical
FAQ: Maximizing cable modem or DSL speed Digital Subscriber Line
How to set up Meridian 1 to "provide clock" to a C... Nortel Networks
New Discovery about WDM LAN and Telecom Cabling
Control Hot Water Circ Pump With X10? Home Automation
Text file to automate restoring a dropped VPN connection. Virtual Private Networks
Home Theater Installation Home Theater
Re: The Turkic Languages in a Nutshell Fiber Optics
sip Video Conferencing
Residential Cabling Guide Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Click Here to learn more