[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 719
  • Last Modified:

PIX501 Disable Ping from outside network

Dear Experts

My company has a sbs2000 server running mainly for ERP application.
, Citrix Metaframe XP presentation sever has also been installed
for our remote users access.
(Server Internal IP: 192.168.0.250)

We have a PIX501 firewall installed. (PIX Internal IP: 192.168.0.1)
I have opened tcp port 3389 for remote desktop for administrator works.
Web server is running just for internal, not outside. SQL 2000 server is runnning too.(no exchange server, no ftp server)
Last month I needed to access from home to my company's SQL 2000 server for some programming works,
so I have enabled tcp port 1433. Everything work fine until this weekend there is a huge inbound traffic into the server,
part of the reason as our firewall still accept PING from outside.

>>>built inbound tcp connection 35504 for outside:218.38.30.188 (ns.thundernet.co.kr) /12033 (218.38.30.188 (ns.thundernet.co.kr) /12033) to inside:192.168.0.250 (uuuu.xx.local) /1433 (aaa.bbb.ccc.ddd (uuuu.xx.local) /1433)
>>>teardown tcp connection 35504 for outside:218.38.30.188 (ns.thundernet.co.kr) /12033 to inside:192.168.0.250 (uuuu.xx.local) /1433 duration 0:00:01 bytes 254 tcp fins

Just in case anything happen, I have temporary removed port 1433 now.

I would like to know how to disable PING from outside (but I can till ping from inside)
but not impair my ability to communicate to outside world?
As I'm very new to PIX firewall, I really need some expert advice before I actually mess up my company network.

Many many thanks in advance.

Regards,

csvchou


Our PIX 501 config:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
hostname YYYYYY
domain-name XXXXX
clock timezone HKST 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host aaa.bbb.ccc.ddd eq 3389
access-list 101 permit tcp any host aaa.bbb.ccc.ddd eq citrix-ica
access-list 101 permit udp any host aaa.bbb.ccc.ddd eq 1604
pager lines 24
logging on
logging timestamp
logging trap informational
logging history warnings
logging facility 23
logging host inside 192.168.0.250
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.250 255.255.255.255 inside
pdm location kkk.bbb.ccc.ddd 255.255.255.255 inside
pdm location kkk.bbb.ccc.ddd 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp aaa.bbb.ccc.ddd 3389 192.168.0.250 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp aaa.bbb.ccc.ddd citrix-ica 192.168.0.250 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) udp aaa.bbb.ccc.ddd 1604 192.168.0.250 1604 netmask 255.255.255.255 0 0
access-group 101 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxxxx@NWTBB.COM
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxxx@NWTBB.COM password *********
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:8794b9c624308ceaec03fa0108195bd9
: end

0
csvchou
Asked:
csvchou
2 Solutions
 
lrmooreCommented:
To disable icmp on the interface, simply add the following command:
  icmp deny any outside

Blocking ICMP will not prevent port scans. Leaving well-known ports (i.e. tcp 1433 SQL) open is the issue. Anytime you open up any port to any server, be 200% positive that your server is protected with latest patches and best practices, and change the default port if you can (security by obscurity)...

0
 
martapCommented:

and open port 1433 only to selective IP addresses and not to any.
0
 
csvchouAuthor Commented:
It works!! now no one can PING our outside IP

   icmp deny any outside

I've added the following lines (quote from lrmoore's old solution) so that we can PING from inside

   access-list uart permit icmp any any echo-reply
   access-list uart permit icmp any any unreachable
   access-list uart permit icmp any any time-exceeded

martap is right, I should open port 1433 to selective IP
I've asked them to split points, 400 for lrmoore, 100 for martap
Thanks for fixing my problem in such short time. :)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now