Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX firewall 6.2

Posted on 2003-02-20
9
Medium Priority
?
244 Views
Last Modified: 2013-11-29
1.i m not able to ping the dmz interface from a machine connected to the pix. though i m able to ping hosts in the dmz zone. i think since i m in hi sec zone, i shud b able to ping the interface on a low sec such as dmz.

2.i dont have any conduits in my configuration. is it mandatory to have the following command, how do i interpret the command?
conduit permit icmp any any
can u give me an equivalent access list?

3.how are debug messages viewed. can i view them when i telnet into the pix.

4. i wanna make sure that pix is responding to denied ping connections by observing icmp request n replies. how do i do that.  for example when i ping the dmz interface and get request timed out messages, i want to see icmp exchanges in the debug.

5.  what do these mean? please give a 1 line description
route ouside 0 0 192.168.1.2 1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
0
Comment
Question by:net-geek
  • 6
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7989085
1. This is a "feature" of the PIX. You cannot ping any outside interface from the inside.

2. The equivelent access-list:
access-list 101 permit icmp any any
access-group 101 in interface dmz

3. turn on logging and log monitoring:
logging on
logging monitor

debug icmp

4. debug icmp

5. line 1 is same as line 3
route outside 0 0 192.168.1.2 1 = set default gateway for every host of every network that I don't have a specific route for, forward to 192.168.1.2 with metric of 1
PIX will "shorten" "0.0.0.0 0.0.0.0" as "0 0"

nat(inside) 1 0.0.0.0 0.0.0.0 = nat every packet coming from every host and every network on the inside interface to the address/pool defined in "global(outside) 1" statement. Notice the common "1" - (inside)1 to (outside)1
You can setup multiple inside/outside combinations

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1 see above explanation - longhand for "0 0 192.168.1.2 1"

0
 

Author Comment

by:net-geek
ID: 7989199
1.
"This is a "feature" of the PIX. You cannot ping any outside interface from the inside."

but then how am i able to ping hosts on the dmz zone?

2.
access-list 101 permit icmp any any
access-group 101 in interface dmz

y have u written just "dmz" and not the inside interface as well. and is it mandatory for me to be able to do debug icmp. would i b comprmising withs ecurity if i allow icmp packets from anywhere to flow into my network?

0
 

Expert Comment

by:cbruce8
ID: 7989386
I prefer the conduit commands myself, and I do not
enable icmp for any longer than required for testing.

ter mon
(to send debug output to current telnet session)
(note that PIX does strange things when > 1 session open)

debug icmp trace

(will send ping debugs)

see above for the rest
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 

Author Comment

by:net-geek
ID: 7990395
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7990411
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7990453
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7990488
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7993176
I did not post the message repeatedly. but still i am sorry. i have informed the concerned people about this.
 
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 7996462
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Make the most of your online learning experience.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question