Pix 501

Hi imherson,
Can you log into the PIX and do 'show run' to show the actual running configuration.

In the config everything from your network to this PC is permitted so I dont understand why it is not working.

pix(config)# show config
: Saved
: Written by enable_15 at 12:50:56.457 UTC Thu Dec 2 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 inside security100
nameif ethernet1 outside security0
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host 138.187.31.97
access-list outside_in permit icmp any any
access-list inside_in permit udp any any eq domain
access-list inside_in permit icmp any any
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip address inside 192.168.0.1 255.255.255.0
ip address outside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group inside_in in interface inside
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Cryptochecksum:ccaed19464c5cd922e327549500a19d3

I rebuilt the server this morning and it does work afterall!!!!

Thats good. If you post in the support section you can ask for a points refund.

Thanks.  I wasn't aware of the spending limit.  Still, I'd like to tweak this config a bit more with you if your game:

1.  Altough I can remote to the PC outside, I cannot logon with domain-level accounts unless the profile is already locally cached ("The domain beach is not available") and when I read the permissions to files that I had previously assigned domain accounts to, they appear as "\S-1-5-21-1621886-1693881etc"

2.  Does this config address the Windows and NVIRUS updates? lmoore had said that Window Updates (we have a SUS server on our network) would require ports 443 and 80 and that NVIRUS might use port 21 (https://www.experts-exchange.com/questions/21226521/501-Pix-config.html)  I won't know until monday whether the PC is getting NVIRUS updates, but since I put the PC outside a couple of hours ago, the Window Updates log has not shown any more sucessful querries despite restarting the service and advancing the date.

3 If we get past the 1 & 2 then I might want to limit the ability of the PC outside from pinging hosts on the outside network (so long as this doesn't compromise anything we have accomplished already)

We can make the questions separate or do them together. Whatever you feel is fair.  Otherwise, thanks for your expert help so far.

1) If you tell me the IP address of the domain controller I will give you the additional commands to enable it to connect and authenticate against it.

2) No. Again tell me the servers IP and I will tell you the commands you need to ass to enable http,https and ftp. Alternativly if the update server is on the Internet you might wish to allow this machine to access any machine via web/ftp.

3) That can be done.

1) 138.187.31.26
2) 138.187.31.52 (For now ftp, http & https). Alternatively, could you indicate what command might be used IF LATER ON we only wanted https available from this PC.  We're not setup for that now.
3) great

 Do I need to use a special client to authenticate to the pix?  I have left the enable password blank since the first day when I set it several times and was unable to authenticate to it until I used a password recovery file with a TFTP server.

1)
object-group service windows_udp udp
port-object range 135 139
exit
object-group service windows_tcp tcp
port-object range 135 139
port-object eq 445
exit
access-list inside_in permit udp any host 138.187.31.26 object-group windows_udp
access-list inside_in permit tcp any host 138.187.31.26 object-group windows_tcp

2)
object-group service vscanupdate tcp
port-object eq www
port-object eq https
port-object eq ftp
exit
access-list inside_in permit tcp any host 138.187.31.52 object-group vscanupdate

At a later date if you want the virus updates to be done over https only then just remove http and  ftp from the object group :-
object-group service vscanupdate tcp
no port-object eq www
no port-object eq ftp

I am using object-groups which is a fairly new edition and is a nice way of creating groups of ports. It makes the access-lists shorter and easier to read.

How are you connecting to it?
Is it over the console port or web interface?

You already have a password defined in the configuration by the looks of it.
I recomend you connect for administration using SSH.
If you type the following it will generate a key on the PIX :-
ca gen rsa key 1024
Now define the machines which are permitted to SSH to the box (they still need the password) :-
ssh 172.18.124.114 255.255.255.255 outside 138.187.0.0 255.255.0.0
Now save the key :-
ca save all

Not to connect use the built on 'ssh' program in Linux or download a free copy of 'putty' and connect as the username 'pix' and enter your normal password.

1) The the WU client is querying our SUS server again.  gREAT!!
2) NVIRUS server console  still still doesn't show outside PC [It did before I put it behind the firewall] May be we got the port wrong.
3)  I can still ping and do NSLOOKUPS from the PC outside for all the PCs on our network.
4) The domain beach shows up now in network neighborhood but the outside PC is the only member and I cannot make domain logons or add domain account permssions to any files on the PC.  
~~~~~~ This may sound like a stupid question but does the port object range (135 139) have anything to do with the network ID (138.187) because as I told you before I'm substituting a different Class B network ID in the actual config? That's the only change I make because.~~~~~~~~~~~~~

I've been using Hyperterminal on the console port.  I know that the config shows a password, but I assure you I its blank.  I'll try SSH or putty after we work out the domain login and NVIRUS stuff.

My shift is coming to an end so I may pick this up Monday morning.

Here's the latest show config:

pix(config)# show config
: Saved
: Written by enable_15 at 16:46:37.991 UTC Fri Dec 3 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 inside security100
nameif ethernet1 outside security0
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service windows_udp udp
  port-object range 135 139
object-group service windows_tcp tcp
  port-object range 135 netbios-ssn
  port-object eq 445
object-group service vscanupdate tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
access-list outside_in permit ip any host 138.187.31.97
access-list outside_in permit icmp any any
access-list inside_in permit udp any any eq domain
access-list inside_in permit icmp any any
access-list inside_in permit udp any host 138.187.31.26 object-group windows_udp

access-list inside_in permit tcp any host 138.187.31.26 object-group windows_tcp

access-list inside_in permit tcp any host 138.187.31.52 object-group vscanupdate

pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip address inside 192.168.0.1 255.255.255.0
ip address outside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group inside_in in interface inside
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Cryptochecksum:b410c6eaf379ff8efccf3293d7003cac
pix(config)#

2) If you try to force an update or something and then immediatly afterwards do a 'show log' on the PIX it should show any recent traffic it has denied. We can see what it is trying to do and then permit it.

3) I can disable ping if you wish. It would probably be best to do that last.
The PC is enabled to query any DNS server. Is that ok?

4) The domain controller is 138.187.31.26?

2) Here's the log
pix(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: level errors, 0 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 118196 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
55.255/3000
710005: UDP request discarded from 138.187.32.220/4998 to outside:255.255.255.25
5/3000
710005: UDP request discarded from 138.187.32.220/4998 to outside:255.255.255.25
5/3000
710005: UDP request discarded from 138.187.32.36/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.220/4998 to outside:255.255.255.25
5/3000
710005: UDP request discarded from 138.187.32.27/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.57/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.197/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.57/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.91/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.57/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.57/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 192.168.0.3/138 to inside:192.168.0.255/netbi
os-dgm
302010: 1 in use, 3 most used
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
106023: Deny udp src inside:192.168.0.3/137 dst outside:138.187.96.70/137 by acc
ess-group "inside_in"
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
106023: Deny udp src inside:192.168.0.3/137 dst outside:138.187.96.70/137 by acc
ess-group "inside_in"
710005: UDP request discarded from 138.187.31.26/138 to outside:138.187.255.255/
netbios-dgm
106023: Deny udp src inside:192.168.0.3/137 dst outside:138.187.96.70/137 by acc
ess-group "inside_in"
710005: UDP request discarded from 138.187.31.218/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.4/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.31.101/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.5/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.31.194/137 to outside:138.187.255.255
/netbios-ns
710005: UDP request discarded from 138.187.32.78/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.46/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.103/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
710005: UDP request discarded from 138.187.32.31/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.124/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.52/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.250/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.53/138 to outside:255.255.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.202/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.96/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.31/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.57/138 to outside:138.187.255.255/
netbios-dgm
411002: Line protocol on Interface inside, changed state to down
302010: 1 in use, 3 most used
302010: 1 in use, 3 most used
302010: 1 in use, 3 most used
302010: 1 in use, 3 most used
302010: 1 in use, 3 most used
111009: User 'enable_15' executed cmd: show logging
111009: User 'enable_15' executed cmd: show logging
pix(config)#


3)Your advice is best
4)Yes.  Below are 2 Netstat -a outputs for the PC.  One is was checked when when the PC was connected directly our network.  The other is when the PC is put behind the firewall:

 NO FIREWALL
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    BEACH031097:smtp       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:http       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:epmap      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:https      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:microsoft-ds  BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1025       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1027       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1028       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1046       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3312       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3372       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3389       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:4726       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:netbios-ssn  BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3384       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3467       DomainController.BEACH.CH:netbios-ssn  TIME_WAIT
  TCP    BEACH031097:3471       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3471       DomainController.BEACH.CH:netbios-ssn  ESTABLISHE
D
  UDP    BEACH031097:epmap      *:*
  UDP    BEACH031097:microsoft-ds  *:*
  UDP    BEACH031097:1026       *:*
  UDP    BEACH031097:1039       *:*
  UDP    BEACH031097:1122       *:*
  UDP    BEACH031097:2967       *:*
  UDP    BEACH031097:3456       *:*
  UDP    BEACH031097:netbios-ns  *:*
  UDP    BEACH031097:netbios-dgm  *:*
  UDP    BEACH031097:isakmp     *:*
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    BEACH031097:smtp       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:http       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:epmap      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:https      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:microsoft-ds  BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1025       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1027       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1028       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1046       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3312       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3372       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3389       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:4726       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:netbios-ssn  BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3384       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3431       DomainController.BEACH.CH:netbios-ssn  TIME_WAIT
  UDP    BEACH031097:epmap      *:*
  UDP    BEACH031097:microsoft-ds  *:*
  UDP    BEACH031097:1026       *:*
  UDP    BEACH031097:1039       *:*
  UDP    BEACH031097:1122       *:*
  UDP    BEACH031097:2967       *:*
  UDP    BEACH031097:3456       *:*
  UDP    BEACH031097:netbios-ns  *:*
  UDP    BEACH031097:netbios-dgm  *:*
  UDP    BEACH031097:isakmp     *:*

C:\Documents and Settings\administrator.BEACH>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    BEACH031097:smtp       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:http       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:epmap      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:https      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:microsoft-ds  BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1025       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1027       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1028       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1046       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3312       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3372       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3389       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:4726       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:netbios-ssn  BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3384       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3435       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3435       DomainController.BEACH.CH:netbios-ssn  ESTABLISH
D
  UDP    BEACH031097:epmap      *:*
  UDP    BEACH031097:microsoft-ds  *:*
  UDP    BEACH031097:1026       *:*
  UDP    BEACH031097:1039       *:*
  UDP    BEACH031097:1122       *:*
  UDP    BEACH031097:2967       *:*
  UDP    BEACH031097:3456       *:*
  UDP    BEACH031097:netbios-ns  *:*
  UDP    BEACH031097:netbios-dgm  *:*
  UDP    BEACH031097:isakmp     *:*

BEHIND FIREWALL

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    BEACH031097:smtp       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:http       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:epmap      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:https      BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:microsoft-ds  BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1025       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1027       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1028       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:1046       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3312       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3372       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3389       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:4726       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3558       BEACH031097.BEACH.CH:microsoft-ds  TIM
E_WAIT
  TCP    BEACH031097:3384       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:netbios-ssn  BEACH031097.BEACH.CH:0  LISTENING
  UDP    BEACH031097:epmap      *:*
  UDP    BEACH031097:microsoft-ds  *:*
  UDP    BEACH031097:1026       *:*
  UDP    BEACH031097:1039       *:*
  UDP    BEACH031097:1122       *:*
  UDP    BEACH031097:2967       *:*
  UDP    BEACH031097:3456       *:*
  UDP    BEACH031097:3577       *:*
  UDP    BEACH031097:netbios-ns  *:*
  UDP    BEACH031097:netbios-dgm  *:*
  UDP    BEACH031097:isakmp     *:*

106023: Deny udp src inside:192.168.0.3/137 dst outside:138.187.96.70/137 by acc
ess-group "inside_in"

This is the only thing being denied. What is 138.187.96.70?

WINS server

Your can see from the netstats that the domain controller only appears on the list of active connections when the PC is not behind the firewall

Add :-
access-list inside_in permit udp any host 138.187.96.70 eq 137

This should get WINS working so whatever it is doing it should now be able to resolve the name.

Try to connect again and post the logs as before.

I'm not sure if this is relavant but when I force an update netsat show ports open to the parent of the parent SAV server on another PC.  This only showed up on an XP client.  Not on the client outside the firewall

TCP    BEACH032007:1899       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1900       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1902       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1904       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1906       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1907       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1909       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1911       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1913       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
TCP    BEACH032007:1914       SAV_SRV.BEACH.CH:ftp  TIME_WAIT
UDP    BEACH032007:snmp       *:*
UDP    BEACH032007:microsoft-ds  *:*
UDP    BEACH032007:isakmp     *:*
UDP    BEACH032007:1028       *:*
UDP    BEACH032007:1029       *:*
UDP    BEACH032007:1030       *:*
UDP    BEACH032007:1031       *:*
UDP    BEACH032007:1830       *:*
UDP    BEACH032007:2967       *:*
UDP    BEACH032007:ntp        *:*
UDP    BEACH032007:1486       *:*
UDP    BEACH032007:1724       *:*
UDP    BEACH032007:1900       *:*
UDP    BEACH032007:ntp        *:*
UDP    BEACH032007:netbios-ns  *:*
UDP    BEACH032007:netbios-dgm  *:*
UDP    BEACH032007:1900       *:*


fYI:   SAV_SRV=138.187.48.33

There is some FTP going on but this is permitted on the PIX. I think you need to get another 'show log' output and we will have to permit every port one at a time until it works.

Are these TCP ports permitted?

 TCP    BEACH031097:3467       DomainController.BEACH.CH:netbios-ssn  TIME_WAIT
  TCP    BEACH031097:3471       BEACH031097.BEACH.CH:0  LISTENING
  TCP    BEACH031097:3471       DomainController.BEACH.CH:netbios-ssn  ESTABLISHE

This shows the BEACH computer connection to netbios on the domain controller.
The PC is permitted to connect to the domain controller aswell.

Domain Logins/ permissions assignments are coming through!!

Tomorrow when the next nvirus update comes out we'll know if that's also solved.  

If that's so, just the  ping and nslookup up issue would be left.

The SAV definitions were not updated. I suppose the Denys in the log are the reason?

Parent Antivirus server = 138.187.31.52

Here's the log. .
pix(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: level errors, 0 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 28494 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
de:138.187.31.52/80 to inside:192.168.0.3/1643 duration 0:00:01 bytes 3090 TCP R
eset-I
106015: Deny TCP (no connection) from 138.187.31.52/80 to 138.187.31.97/1643 fla
gs ACK  on interface outside
106015: Deny TCP (no connection) from 138.187.31.52/80 to 138.187.31.97/1643 fla
gs ACK  on interface outside
106015: Deny TCP (no connection) from 138.187.31.52/80 to 138.187.31.97/1643 fla
gs ACK  on interface outside
710005: UDP request discarded from 138.187.32.226/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.52/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.102/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.50/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.32/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.3/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.31.32/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.32/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.85/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.2/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.9/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.219/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.26/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.225/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.194/137 to outside:138.187.255.255
/netbios-ns
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.29/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.27/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.27/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.18/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.27/137 to outside:138.187.255.255/
netbios-ns
502103: User priv level changed: Uname: enable_1 From: 1 To: 15
111008: User 'enable_1' executed the 'enable' command.
710005: UDP request discarded from 138.187.32.27/137 to outside:138.187.255.255/
netbios-ns
111007: Begin configuration: console reading from terminal
111008: User 'enable_15' executed the 'configure t' command.
710005: UDP request discarded from 138.187.32.27/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.27/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.28/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
pix(config)#

> 106015: Deny TCP (no connection) from 138.187.31.52/80 to 138.187.31.97/1643
> flags ACK  on interface outside

This is strange. It looks like the PC sent a request to the server but aborted for some reason and closed the connection. The server still sent back a couple of replies which were rejected because the connection had already been closed.
Ideally I need to log entries just before these lines.

What do make of this?

06023: Deny tcp src inside:192.168.0.3/1045 dst outside:138.187.4.60/53 by acce
ss-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1045 dst outside:138.187.4.60/53 by acce
ss-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1045 dst outside:138.187.4.60/53 by acce
ss-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1046 dst outside:138.187.4.60/53 by acce
ss-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1046 dst outside:138.187.4.60/53 by acce
ss-group "inside_in"
 

Is 138.187.4.60 a DNS server?
DNS usually uses UDP but these are TCP. TCP is used for things like dynamic updates (part of active directory) and zone transfers.

We don't use this address in our TCP/IP settings, although I've often seen the address in event logs.

Here are some more Denys from the log:

10005: UDP request discarded from 138.187.32.93/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.31.66/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.95/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 192.168.0.3/138 to inside:192.168.0.255/netbi
os-dgm
302015: Built outbound UDP connection 710 for outside:138.187.31.26/138 (138.187
.31.26/138) to inside:192.168.0.3/138 (138.187.31.97/138)
106023: Deny udp src inside:192.168.0.3/138 dst outside:138.187.31.50/138 by acc
ess-group "inside_in"
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
302015: Built outbound UDP connection 711 for outside:138.187.96.15/53 (138.187.
96.15/53) to inside:192.168.0.3/1097 (138.187.31.97/1097)
302015: Built outbound UDP connection 712 for outside:138.187.96.134/137 (150.14
2.96.134/137) to inside:192.168.0.3/137 (138.187.31.97/137)
302016: Teardown UDP connection 711 for outside:138.187.96.15/53 to inside:192.1
68.0.3/1097 duration 0:00:01 bytes 306
106023: Deny tcp src inside:192.168.0.3/1098 dst outside:138.187.31.52/139 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1096 dst outside:138.187.31.52/445 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1098 dst outside:138.187.31.52/139 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1096 dst outside:138.187.31.52/445 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1098 dst outside:138.187.31.52/139 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1099 dst outside:138.187.31.52/139 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1096 dst outside:138.187.31.52/445 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1099 dst outside:138.187.31.52/139 by ac
cess-group "inside_in"
106023: Deny tcp src inside:192.168.0.3/1099 dst outside:138.187.31.52/139 by ac
cess-group "inside_in"
106023: Deny udp src inside:192.168.0.3/2967 dst outside:138.187.31.52/2967 by a
ccess-group "inside_in"
106023: Deny udp src inside:192.168.0.3/2967 dst outside:138.187.31.52/2967 by a
ccess-group "inside_in"
106023: Deny udp src inside:192.168.0.3/2967 dst outside:138.187.31.52/2967 by a
ccess-group "inside_in"
106023: Deny udp src inside:192.168.0.3/1034 dst outside:138.187.31.52/38293 by
access-group "inside_in"
106023: Deny udp src inside:192.168.0.3/1034 dst outside:138.187.31.52/38293 by
access-group "inside_in"
106023: Deny udp src inside:192.168.0.3/1034 dst outside:138.187.31.52/38293 by
access-group "inside_in"
106023: Deny udp src inside:192.168.0.3/1034 dst outside:138.187.31.52/38293 by
access-group "inside_in"
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
106023: Deny udp src inside:192.168.0.3/1034 dst outside:138.187.31.52/38293 by
access-group "inside_in"
106023: Deny udp src inside:192.168.0.3/1034 dst outside:138.187.31.52/38293 by
access-group "inside_in"
710005: UDP request discarded from 138.187.31.91/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.216/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.15/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.31/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.2/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
111009: User 'enable_15' executed cmd: show configure
710005: UDP request discarded from 138.187.32.117/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.194/137 to outside:138.187.255.255
/netbios-ns
710005: UDP request discarded from 138.187.32.220/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
710005: UDP request discarded from 138.187.32.11/138 to outside:138.187.255.255/
netbios-dgm
pix(config)#

It tried to access the windows file sharing port on 138.187.31.52 once and access 138.187.31.52 many times.
It looks like it might be using windows file sharing to try and download the virus updates.
Adding the following should permit it:-
access-list inside_in permit udp any host 138.187.31.52 object-group windows_udp
access-list inside_in permit tcp any host 138.187.31.52 object-group windows_tcp

Windows file sharing is enabled; Network Nieghborhood is populated now and I can browse the shares on 138.187.31.52.  Windows Updates querries completed sucessfully (although the PC had querried the SUS server earlier on, it had not acually downloaded the cab files sucessfully.).  

I uninstalled Symantec and reinstalled.  During the installation the IP or name of the parent server is required.-
niether allowed setup to connect to server.  The message was, "unable to find server"  I raised the case of the denys in the log below:

show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: level errors, 0 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 1572 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
42.32.101/138 to outside:138.187.255.255/netbios-dgm
710005: UDP request discarded from 138.187.31.33/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.8/138 to outside:138.187.255.255/n
etbios-dgm
710005: UDP request discarded from 138.187.31.33/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 192.168.0.3/138 to inside:192.168.0.255/netbi
os-dgm
106023: Deny udp src inside:192.168.0.3/138 dst outside:138.187.31.50/138 by acc
ess-group "inside_in"
710005: UDP request discarded from 138.187.32.50/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.26/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 192.168.0.3/1049 to inside:255.255.255.255/38
293
710005: UDP request discarded from 192.168.0.3/1049 to inside:255.255.255.255/38
293
710005: UDP request discarded from 192.168.0.3/1049 to inside:255.255.255.255/38
293
710005: UDP request discarded from 192.168.0.3/1049 to inside:255.255.255.255/38
293
710005: UDP request discarded from 192.168.0.3/1049 to inside:255.255.255.255/38
293
710005: UDP request discarded from 192.168.0.3/1049 to inside:255.255.255.255/38
293
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
106023: DENY UDP SRC INSIDE:192.168.0.3/1049 DST OUTSIDE:138.187.31.52/38293 BY
ACCESS-GROUP "INSIDE_IN"
106023: DENY UDP SRC INSIDE:192.168.0.3/1049 DST OUTSIDE:138.187.31.52/38293 BY
ACCESS-GROUP "INSIDE_IN"
710005: UDP request discarded from 138.187.32.122/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
106023: DENY UDP SRC INSIDE:192.168.0.3/1049 DST OUTSIDE:138.187.31.52/38293 BY
ACCESS-GROUP "INSIDE_IN"
106023: DENY UDP SRC INSIDE:192.168.0.3/1049 DST OUTSIDE:138.187.31.52/38293 BY
ACCESS-GROUP "INSIDE_IN"
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.8/138 to outside:138.187.255.255/n
etbios-dgm
106023: Deny udp src inside:192.168.0.3/1049 dst outside:138.187.31.52/38293 by
access-group "inside_in"
106023: Deny udp src inside:192.168.0.3/1049 dst outside:138.187.31.52/38293 by
access-group "inside_in"
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.31.29/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.31/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.225/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
710005: UDP request discarded from 138.187.31.44/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.101/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
pix(config)#

Try temporarily adding these lines to permit everything to these two servers and then see if it works :-
access-list inside_in permit ip any host 138.187.31.50
access-list inside_in permit ip any host 138.187.31.52

The client installation was able to find the parent server and complete.  Tomorrow I'll verify that new definition updates are recieved.  FYI the first server is a backup domain controller.
 
If this works will it possible to restrict the connections so that browsing of the domain controllers and SAV server are NOT possible but the windows updates and virus definiton updates continue?  Of course I can do this with permissions but then why do I have a firewall?

Here's the log after the last changes:

pix(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: level errors, 0 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 1039 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
P request discarded from 138.187.32.124/138 to outside:138.187.255.255/netbios-d
gm
710005: UDP request discarded from 138.187.32.69/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.69/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.69/137 to outside:138.187.255.255/
netbios-ns
710005: UDP request discarded from 138.187.32.85/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.96/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.78/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
710005: UDP request discarded from 138.187.32.239/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.31.218/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.98/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.28/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
710005: UDP request discarded from 138.187.32.21/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.202/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.220/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.20/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.213/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.16/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.18/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
302016: Teardown UDP connection 23 for outside:138.187.31.52/2967 to inside:192.
168.0.3/2967 duration 0:03:10 bytes 65345
710005: UDP request discarded from 138.187.32.19/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.193/137 to outside:138.187.255.255
/netbios-ns
710005: UDP request discarded from 138.187.32.203/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.93/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.32.208/138 to outside:138.187.255.255
/netbios-dgm
/netbios-dgm
etbios-dgm
710005: UDP request discarded from 138.187.32.212/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.12/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.23/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.102/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.84/138 to outside:138.187.255.255/
netbios-dgm
710005: UDP request discarded from 138.187.31.54/1266 to outside:255.255.255.255
/1266
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.32.231/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.242/138 to outside:138.187.255.255
/netbios-dgm
710005: UDP request discarded from 138.187.32.244/2173 to outside:138.187.255.25
5/135
710005: UDP request discarded from 138.187.31.35/138 to outside:138.187.255.255/
netbios-dgm
pix(config)#

I understand.  Can I disable ping from the outside? And can I prevent the use of the password recovery utility so that someone cannot hack the firewall using an TFTP server?

You  can disable ping from a particular direction by disabling the replies. By default the local LAN can ping the PC. Do you want this but not the PC being able to ping the rest of the network?

The only way to stop password recivery is to have physical security so people cannot attach a serial cable to the console port.

<Do you want this but not the PC being able to ping the rest of the network?
Yes.  You can answer here: https://www.experts-exchange.com/questions/21235211/Tweak-a-config-for-a-Pix-501.html  (I wasn't sure whether you might have had enough of me.)