Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco Pix Firewall Logs

Posted on 2003-12-04
9
519 Views
Last Modified: 2010-04-17
Hey all,

I have a quick question. I am notcing A LOT of ICMP deny request on my external interface on my router.
Should I be concerned?

here is a portion of the log

Deny inbound icmp src outside 63.214.225.229 dst inside 63.x.x.x (type 8, Code 0)
0
Comment
Question by:ShinCat
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 9876660
Everyone on the planet is knocking on your door with pings. This is just part of being on the Internet, and reconnaissance attempts.
As long as they are denied packets, you've nothing to worry about.
If you start seeing a pattern of specific source IP addresses, what I do is put a deny entry into the router acl so the firewall never even sees the icmp packet.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 9876663
ShinCat;

This is pretty normal if you are denying ICMP traffic and given that many people will do a ping sweep of an entire subnet before they run port scans you could see a deny for every attempt accross your address range.  I would not worry that much about it unless there are a large number comming from the same source (say 100 or so an hour).  

Thanks
Scott
0
 
LVL 3

Expert Comment

by:sheahmed
ID: 9880234

surely ur concern, beside a security threat ... such icmp attacks are utilizing your cpu as well as memory resources ... i 'll recommend you to monitor your internal network for the same ...

there are two types of icmp packets ...

- echo:  Request ... (ping)
- echo-reply:  Response in result of Request ... (ping response)

permit icmp only from recognized sources and for specific destinations destinations ... if necessary ... otherwise block icmp along with other vulnerable ports (i.e. netbios, etc)

worm could be ...
- http://vil.nai.com/vil/content/v_100559.htm


probably the worm could be nachi ... check out more about it ...
- www.sans.org/rr/papers/60/477.pdf

hope this stuff is useful for you ...

Regards,
Sheeraz Ahmed
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Expert Comment

by:sheahmed
ID: 9880280

Type 8 Code 0 Echo Request (ping) - means it sends you a packet, which should be directly replyed by/with a: echo reply

0
 
LVL 7

Expert Comment

by:NicBrey
ID: 9880550
Agree, nothing to worry about unless you start seeing a pattern.

Sheeraz,
Probably the most well known ICMP packets are "echo request" and "echo reply", but there is a lot more than 2 types of ICMP packets.

http://www.iana.org/assignments/icmp-parameters
0
 
LVL 3

Expert Comment

by:sheahmed
ID: 9880846

thanks for the correction ... yes there are icmp packet types each with its own format ...
like ...

 0 -  Echo Reply
 3 - Destination Unreachable
 4 - Source Quench
 5 - Redirect (Change Route)
 8 - Echo Request
11 - Time Exceeded
12 - Parameter Problem in Datagram
14 - Timestamp Request

shincat you can see the description of 0 and 8 here ... NicBrey, most of the time i have met the same echo attacks ...

0
 

Author Comment

by:ShinCat
ID: 9888984
lrMoore

You are the Cisco Ninja!

Are you a CCIE? I want to thank you for all your past help you have given me. In fact I think all the past help you have given me has been all Cisco help.
If you are anywhere near Atlanta Georgia there is a steak dinner waiting for you.
You are truely a professional above and beyond.
0
 

Author Comment

by:ShinCat
ID: 9889006
To all the others who replied I want to thank you also.

All your answers were helpful and it adds value to this thread, but it was lrmoore who responded first in a timely fashion.

Scotty_Cisco you responded at the same time bu lrmoore was faster.
I thank you also. I hope in the future I can award you some points also.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9889915
Not CCIE yet. Passed the written, waiting to take the PE.

I'm not too far from Atlanta, in AL. I go through the ATL airport all the time, though.
There's a saying here: "when you die and go to heaven - you're going through Atlanta"
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I modify Ubigate for new ISP? 2 102
Move configuration from Cisco 3560 to 3750X 6 56
Viber-Only Restriction 6 57
snmp-server enable traps gdoi ks-rekey-pushed 3 21
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question