1. Home
  2. Networking Firewalls
  3. basic pix 7.0(1) icmp question

basic pix 7.0(1) icmp question

this should not be a challange...

i want to deny icmp to the outside interface:

access-list acl_outside; 4 elements access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq ftp (hitcnt=3531) access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq www (hitcnt=36336) access-list acl_outside line 3 extended permit tcp any host 1.2.3.4 eq 81 (hitcnt=2130) access-list acl_outside line 4 extended deny icmp any interface outside (hitcnt=0)

my ping to the outside interface is still being answered... what's going on?

PS: I would like to allow ping to inside host, and would add:

access-list acl_outside extended permit icmp any host 1.2.3.4

correct?

Reply to
mak
Loading thread data ...

found the problem: icmp deny any outside

Reply to
mak

Doesn't this forbid any icmp message?

like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION UNREACHABLE".

But you are probably sure, that you want to do a blind network flight.

Cheers, Jens

Reply to
Jens Hoffmann

yes it does, but customer wants it that way ...

Reply to
mak

Make sure to have a small note signed, that he is aware of the fact, that he will have problems in the future.

Cheers, Jens

Reply to
Jens Hoffmann

Yes, but only to the PIX itself. The 'icmp' command only controls the ICMP messages that the PIX handles on its own behalf; for ICMP messages headed to hosts "inside", access-group has control.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.