Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Pix 515E and ICMP

Posted on 2006-04-07
23
Medium Priority
?
1,074 Views
Last Modified: 2013-11-16
What is the proper way to  allow icmp messages from my network through a Cisco Pix 515e, without allowing it from the outside in.  I have looked at http://www.experts-exchange.com/Security/Firewalls/Q_21679742.html and http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21790685.html?qid=21790685 but that does not seem to do it.  

Thanks
0
Comment
Question by:exiscapital
  • 10
  • 8
  • 5
23 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16402327
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any echo-request
access-group acl_out out interface outside



0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16402358
Just bear in mind this lets it through from the PIX outwards.
if you apply this access-list it will only let this traffic go through so make sure you add it to your existing acl....

If you do not have an outgoing acl, then all traffic will be allowed out.
0
 

Author Comment

by:exiscapital
ID: 16402452
By default, shouldn't all traffic from high security interface flow out the low security interface without restriction.  SHould the access list be used just to allow the traffic back in.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16402574
To your first point, yes. Having NO acl, would allow higher to lower but as soon as you put an ACL in, then ONLY that traffic is allowed. When traffic passes out, it makes a session so that responses can come back in again.
0
 

Author Comment

by:exiscapital
ID: 16403325
I have entered the following code below, and now i am able to ping from the fire wall in either direction, however, I am still not able to ping from workstation on network to an external ip.  Is there something else that I need to add.

icmp permit any echo-reply outside
access-list acl_ins permit icmp any any echo  
access-list acl_ins permit icmp any any
access-list acl_ins permit ip any any
access-list acl_out permit icmp any any echo-reply
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403384
Can you just post a sanitised copy of the config?
0
 

Author Comment

by:exiscapital
ID: 16403505
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SK/lhDTtaj.76ERQ encrypted
passwd SK/lhDTtaj.76ERQ encrypted
hostname xxxxxxx
domain-name xxxxxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.XX.XX.XX InternalNet
name 66.XX.XX.XX Instaquote4
name 63.XX.XX.XX Instaquote1
name 63.XX.XX.XX Instaquote3
name 63.XX.XX.XX Instaquote2
name 216.XX.XX.XX evault
name 218.XX.XX.XX tracker2
name 192.XX.XX.XX Hamptons
name 63.XX.XX.XX Software
object-group service FTP tcp
  port-object eq ftp-data
  port-object eq ftp
object-group service Bridge tcp-udp
  port-object range 14000 14000
  port-object range 6107 6107
  port-object range 4301 4301
  port-object range 4303 4303
object-group service Sobig_Block udp
  port-object range 995 999
object-group service XXXX_Internet tcp
  port-object range 16443 16443
  port-object range 15443 15443
  port-object range 18443 18443
  port-object range 17443 17443
object-group service Sasser_Virus tcp
  port-object range 445 445
  port-object range 9996 9996
  port-object range 5554 5554
object-group service CTS tcp
  port-object range 23242 23242
  port-object range 23502 23502
  port-object range 23602 23602
object-group service instaquote tcp
  port-object range 3200 3210
  port-object range 3500 3510
  port-object range 3550 3560
object-group service BitTorrent tcp-udp
  port-object range 6881 6999
object-group service BitTorrentTracker tcp-udp
  port-object range 6969 6969
object-group service BitComet tcp-udp
  port-object range 19973 19973
object-group service P2Papps tcp-udp
  description Bunch of peer to peer apps
  port-object range 4762 4762
  port-object range 8888 8889
  port-object range 28864 28865
  port-object range 7668 7668
  port-object range 8311 8311
  port-object range 41170 41170
  port-object range 1214 1214
object-group service NAPSTER tcp
  port-object range 6600 6699
  port-object eq 4444
  port-object eq 8888
  port-object eq 5555
  port-object eq 6666
  port-object eq 8875
  port-object eq 7777
object-group service SIP tcp-udp
  port-object eq 3478
  port-object range 8000 8001
  port-object range 5060 5061
object-group service citifutures tcp-udp
  port-object range 7001 7002
  port-object range 5555 5556
access-list outside_access_in permit tcp any object-group CTS any object-group C
TS
access-list outside_access_in permit tcp any object-group SIP any object-group S
IP log 1
access-list outside_access_in deny tcp any object-group NAPSTER any
access-list outside_access_in deny tcp any object-group BitTorrent any
access-list outside_access_in deny tcp any object-group BitTorrentTracker any
access-list outside_access_in deny tcp any object-group BitComet any
access-list outside_access_in deny tcp any any eq smtp log 1
access-list outside_access_in deny tcp any any eq 3127
access-list outside_access_in deny tcp any any eq 1214
access-list outside_access_in deny udp any object-group Sobig_Block any object-g
roup Sobig_Block
access-list outside_access_in deny udp any eq ntp any eq ntp
access-list outside_access_in remark Beagle.b Virus Back door Block
access-list outside_access_in deny tcp any any eq 8866
access-list outside_access_in deny tcp any object-group Sasser_Virus any object-
group Sasser_Virus
access-list outside_access_in deny ip any any
access-list outside_access_in permit tcp any object-group citifutures any object
-group citifutures
access-list inside_access_in permit tcp any object-group SIP any object-group SI
P log 1 interval 20
access-list inside_access_in permit ip any host evault log 5
access-list inside_access_in permit tcp any any object-group REDI_Internet
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in deny tcp any object-group NAPSTER any
access-list inside_access_in deny udp any any eq 8998
access-list inside_access_in deny tcp any object-group Sasser_Virus any object-g
roup Sasser_Virus
access-list inside_access_in deny tcp ExisInternalNet 255.255.0.0 any eq smtp lo
g 1
access-list inside_access_in deny tcp any any eq 1214
access-list inside_access_in deny tcp any any object-group BitComet
access-list inside_access_in deny tcp any any object-group BitTorrent
access-list inside_access_in deny tcp any any object-group BitTorrentTracker
access-list inside_access_in deny tcp any any object-group P2Papps
access-list inside_access_in permit ip any any
access-list acl_ins permit icmp any any echo
access-list acl_ins permit icmp any any
access-list acl_ins permit ip any any
access-list acl_out permit icmp any any echo-reply
pager lines 24
logging on
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.XX.XX.XX 255.255.255.240
ip address inside 10.XX.XX.XX 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.XX.XX.XX 255.255.255.255 inside
pdm location Software 255.255.255.0 outside
pdm location 68.XX.XX.XX 255.255.255.255 outside
pdm location 64.XX.XX.XX 255.255.255.255 outside
pdm location 64.XX.XX.XX 255.255.255.255 inside
pdm location Instaquote1 255.255.255.0 outside
pdm location Instaquote3 255.255.255.0 outside
pdm location Instaquote2 255.255.255.0 outside
pdm location Instaquote4 255.255.255.0 outside
pdm location evault 255.255.255.255 outside
pdm location tracker2 255.255.255.255 outside
pdm location Hamptons 255.255.255.0 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 InternalNet 255.255.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.XX.XX.XX 1
route inside Hamptons 255.255.255.0 10.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http InternalNet 255.255.0.0 inside
http Hamptons 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community eXis
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address 208.XX.XX.XX netmask 255.255.255.255 no-xauth no-
config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet InternalNet 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password g8rxkBgz2s/xqqU1 encrypted privilege 1
terminal width 80
Cryptochecksum:a50fd5e39a1551142295d2e5484696b6
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403623
access-list inside_access_in permit icmp any any

Just bear with me and try it please.....
0
 

Author Comment

by:exiscapital
ID: 16403657
request timed out.
0
 

Author Comment

by:exiscapital
ID: 16403667
request timed out when I tried to ping external address from pc on network.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403683
God I hate networking sometimes....
can you do a sh access-list inside_access_in
0
 

Author Comment

by:exiscapital
ID: 16403770
sh access-list inside_access_in
access-list inside_access_in; 46 elements
access-list inside_access_in line 1 permit tcp any object-group SIP any object-g
roup SIP log 1 interval 20
access-list inside_access_in line 1 permit tcp any eq 3478 any eq 3478 log 1 int
erval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any eq 3478 any range 8000 8001 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any eq 3478 any range 5060 5061 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any eq 3478 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any range 800
0 8001 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any range 506
0 5061 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any eq 3478 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any range 800
0 8001 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any range 506
0 5061 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 2 permit ip any host evault log 5 interval 300
 (hitcnt=72)
access-list inside_access_in line 3 permit tcp any any object-group XXXX_Interne
t
access-list inside_access_in line 3 permit tcp any any range 16443 16443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 15443 15443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 18443 18443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 17443 17443 (hitcnt
=0)
access-list inside_access_in line 4 permit tcp any any eq https (hitcnt=5988)
access-list inside_access_in line 5 deny tcp any object-group NAPSTER any
access-list inside_access_in line 5 deny tcp any range 6600 6699 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 4444 any (hitcnt=43)
access-list inside_access_in line 5 deny tcp any eq 8888 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 5555 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 6666 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 8875 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 7777 any (hitcnt=0)
access-list inside_access_in line 6 deny udp any any eq 8998 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any object-group Sasser_Virus any o
bject-group Sasser_Virus
access-list inside_access_in line 7 deny tcp any range 445 445 any range 445 445
 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 445 445 any range 9996 99
96 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 445 445 any range 5554 55
54 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 445 4
45 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 9996
9996 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 5554
5554 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 445 4
45 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 9996
9996 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 5554
5554 (hitcnt=0)
access-list inside_access_in line 8 deny tcp InternalNet 255.255.0.0 any eq
smtp log 1 interval 300 (hitcnt=15)
access-list inside_access_in line 9 deny tcp any any eq 1214 (hitcnt=0)
access-list inside_access_in line 10 deny tcp any any object-group BitComet
access-list inside_access_in line 10 deny tcp any any range 19973 19973 (hitcnt=
0)
access-list inside_access_in line 11 deny tcp any any object-group BitTorrent
access-list inside_access_in line 11 deny tcp any any range 6881 6999 (hitcnt=0)

access-list inside_access_in line 12 deny tcp any any object-group BitTorrentTra
cker
access-list inside_access_in line 12 deny tcp any any range 6969 6969 (hitcnt=0)

access-list inside_access_in line 13 deny tcp any any object-group P2Papps
access-list inside_access_in line 13 deny tcp any any range 4762 4762 (hitcnt=0)

access-list inside_access_in line 13 deny tcp any any range 8888 8889 (hitcnt=0)

access-list inside_access_in line 13 deny tcp any any range 28864 28865 (hitcnt=
0)
access-list inside_access_in line 13 deny tcp any any range 7668 7668 (hitcnt=0)

access-list inside_access_in line 13 deny tcp any any range 8311 8311 (hitcnt=0)

access-list inside_access_in line 13 deny tcp any any range 41170 41170 (hitcnt=
0)
access-list inside_access_in line 13 deny tcp any any range 1214 1214 (hitcnt=0)

access-list inside_access_in line 14 permit ip any any (hitcnt=128632)
access-list inside_access_in line 15 permit icmp any any (hitcnt=0)
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 16405672
>keith: God I hate networking sometimes....
  lol, I said the same thing late night the other week when dealing with some $%^# buggy Dell switches!

  Here's what's killing it:
>access-list outside_access_in deny ip any any   <- about the 15th line in ACL
>access-group outside_access_in in interface outside
  You've still got the wrong ACL applied to the outside interface, & the line "deny ip any any" is blocking *all* IP traffic inbound: icmp echo-replies, tcp traffic, udp traffic, etc!!

  Run this:
no access-group outside_access_in in interface outside
access-group acl_ins in interface outside

cheers
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 16405690
Or, you can simply do this:
no access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside

That way you won't have to reconfigure the "acl_ins" ACL to match your outside_access_in ACL.

cheers
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16406149
lol, This is why I stick to ISA most of the time :)
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 16407362
ISA? No thanks, that's all yours Keith!  ;)

cheers all
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16408886
:)
0
 

Author Comment

by:exiscapital
ID: 16416819
I put the following in my config, however, I still time out:

no access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside

0
 
LVL 20

Expert Comment

by:calvinetter
ID: 16417058
access-list outside_access_in line 1 permit icmp any any echo  <- allow inbound pings
access-list outside_access_in line 2 permit icmp any any echo-reply  <- so outbound pings work
access-group outside_access_in in interface outside

cheers
0
 

Author Comment

by:exiscapital
ID: 16417154
I only added:

access-list outside_access_in line 2 permit icmp any any echo-reply

do not want to be able to ping from outside.
but I am now able to ping from inside out.  Thanks
0
 

Author Comment

by:exiscapital
ID: 16417544
tracert from inside out is not working, is there anything else I need to add for that.  
Thanks for the help.
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 2000 total points
ID: 16418685
access-list outside_access_in line 2 permit icmp any any time-exceeded
access-group outside_access_in in interface outside

cheers
0
 

Author Comment

by:exiscapital
ID: 16418731
Thanks
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question