Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1121
  • Last Modified:

Rule to enable PING and TRACERT on PIX 506E w/PDM 3.0

Hello,
Hopefully a simpe one. I have a PIX 506E w/6.3(4) and PDM 3.0(2). I'd like to create a rule that would allow ping and ICMP to work that I can turn on only for testing and then disable again. Can someone walk me through creating that in the PDM? PIX is mission critical so I can't risk making a mistake and tanking it. I'm not overly PIX savy.  ;-)    THanks.
0
adamant40
Asked:
adamant40
  • 5
  • 4
1 Solution
 
Pete LongConsultantCommented:
Cisco Firewalls and PING

(Note: Tracert uses Ping technology and protocols and the firewall treats ping and tracert the same*)

PIX Version 6

With regards to Ping, out of the box, a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup clients can ping the inside interface,  and the firewalls outside interface can be pinged from outside.
OK  to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocol is not connection orientated what that means is (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it wont let ping traffic back in  this results in a failure on the client.

Allow Pinging of outside hosts

In light of the above the following will let ping traffic back in.

Access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-group outbound in interface inside

PIX Version 7 and above

Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. Its NOT turned on by default. And the command is inspect icmp but you need to enter the default map first, use the following commands from config terminal mode.

Policy-map global_policy
class inspection_default
inspect icmp

How to STOP interfaces responding to Ping packets

As already stated you can ping an interface on a Cisco firewall if you are directly connected to it, you can turn this OFF using the ICMP command, a lot of people like to disable pinging on the outside interface, in an effort to lessen the risk of a denial of service attack to this the syntax is as follows,

icmp deny any echo outside

*Note this does not apply to INBOUND tracerts these will NOT work without a (fixup protocol icmp) command. In version 7 tracert will not work unless the inspect icmp command has been issued
0
 
adamant40Author Commented:
Actually I was looking for how to do it in the PDM. I'm to chicken to use the command line. Plus that way I have a rule that I can just check and uncheck in my GUI to turn on and off. Sorry, I did not make that clear above. Thanks for the good info though.  
0
 
Pete LongConsultantCommented:
From PDM

1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address

Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0

6. Destination Host/Network

Interface = inside
IP Address = 0.0.0.0
Mask = 0.0.0.0

7. Protocol and Service, select ICMP
8. Set ICMP Type to "echo-reply"
9. OK
10. Repeat from step 3 but this time set the ICMP type to time-exceeded
11. Repeat from step 3 but this time set the ICMP type to unreachable
12. File > Save Running configuration to flash
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
adamant40Author Commented:
Now that's what I'm talking about. Idiot proof. I'm going to try it just as soon as I finish here other thingy up.  
0
 
Pete LongConsultantCommented:
:)
0
 
adamant40Author Commented:
Perhaps idiot proof was not quite the right description. I have followed the above directions exactly, but can not ping anything. I deleted the first rule and then created an new on that allowed all ICMP just to test, still no luck.
0
 
Pete LongConsultantCommented:
do you have an outbound rule applied? if so you will need to allow ICMP outbound as well :)
0
 
adamant40Author Commented:
I did not have an outbound rule applied. I tried adding an outbound rule using the below but I still am unable to ping or tracert.
1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address

Interface = Inside
IP Address = 0.0.0.0
Mask = 0.0.0.0

6. Destination Host/Network

Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0

7. Protocol and Service, select ICMP
8. Set ICMP Type to "any"
0
 
adamant40Author Commented:
I was unable to get this working. Now we have upgraded to IOS 8 so point is moot. Thanks to Pete for all his excellent input.
0
 
AlphaBootisCommented:
Petes input worked here. :) Same setup.
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now