?
Solved

PIX firewall 6.2

Posted on 2003-02-20
9
Medium Priority
?
241 Views
Last Modified: 2013-11-29
1.i m not able to ping the dmz interface from a machine connected to the pix. though i m able to ping hosts in the dmz zone. i think since i m in hi sec zone, i shud b able to ping the interface on a low sec such as dmz.

2.i dont have any conduits in my configuration. is it mandatory to have the following command, how do i interpret the command?
conduit permit icmp any any
can u give me an equivalent access list?

3.how are debug messages viewed. can i view them when i telnet into the pix.

4. i wanna make sure that pix is responding to denied ping connections by observing icmp request n replies. how do i do that.  for example when i ping the dmz interface and get request timed out messages, i want to see icmp exchanges in the debug.

5.  what do these mean? please give a 1 line description
route ouside 0 0 192.168.1.2 1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
0
Comment
Question by:net-geek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7989085
1. This is a "feature" of the PIX. You cannot ping any outside interface from the inside.

2. The equivelent access-list:
access-list 101 permit icmp any any
access-group 101 in interface dmz

3. turn on logging and log monitoring:
logging on
logging monitor

debug icmp

4. debug icmp

5. line 1 is same as line 3
route outside 0 0 192.168.1.2 1 = set default gateway for every host of every network that I don't have a specific route for, forward to 192.168.1.2 with metric of 1
PIX will "shorten" "0.0.0.0 0.0.0.0" as "0 0"

nat(inside) 1 0.0.0.0 0.0.0.0 = nat every packet coming from every host and every network on the inside interface to the address/pool defined in "global(outside) 1" statement. Notice the common "1" - (inside)1 to (outside)1
You can setup multiple inside/outside combinations

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1 see above explanation - longhand for "0 0 192.168.1.2 1"

0
 

Author Comment

by:net-geek
ID: 7989199
1.
"This is a "feature" of the PIX. You cannot ping any outside interface from the inside."

but then how am i able to ping hosts on the dmz zone?

2.
access-list 101 permit icmp any any
access-group 101 in interface dmz

y have u written just "dmz" and not the inside interface as well. and is it mandatory for me to be able to do debug icmp. would i b comprmising withs ecurity if i allow icmp packets from anywhere to flow into my network?

0
 

Expert Comment

by:cbruce8
ID: 7989386
I prefer the conduit commands myself, and I do not
enable icmp for any longer than required for testing.

ter mon
(to send debug output to current telnet session)
(note that PIX does strange things when > 1 session open)

debug icmp trace

(will send ping debugs)

see above for the rest
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 

Author Comment

by:net-geek
ID: 7990395
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7990411
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7990453
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7990488
thnx cbruce8 and lrmoore ,

i can not give either of u the points as both of u gave the partial answers, however  whoever tells me how to change from failover PIX to Primary PIX, i wud give him the points.

I have just joined this job and the activity link is red on the failover firewall. I want to make the primary firewall active. how to do so?

what do i need to check before doing so. please give a step by step ans if needed.
0
 

Author Comment

by:net-geek
ID: 7993176
I did not post the message repeatedly. but still i am sorry. i have informed the concerned people about this.
 
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 7996462
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month9 days, 9 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question