adamant40
asked on
Rule to enable PING and TRACERT on PIX 506E w/PDM 3.0
Hello,
Hopefully a simpe one. I have a PIX 506E w/6.3(4) and PDM 3.0(2). I'd like to create a rule that would allow ping and ICMP to work that I can turn on only for testing and then disable again. Can someone walk me through creating that in the PDM? PIX is mission critical so I can't risk making a mistake and tanking it. I'm not overly PIX savy. ;-) THanks.
Hopefully a simpe one. I have a PIX 506E w/6.3(4) and PDM 3.0(2). I'd like to create a rule that would allow ping and ICMP to work that I can turn on only for testing and then disable again. Can someone walk me through creating that in the PDM? PIX is mission critical so I can't risk making a mistake and tanking it. I'm not overly PIX savy. ;-) THanks.
ASKER
Actually I was looking for how to do it in the PDM. I'm to chicken to use the command line. Plus that way I have a rule that I can just check and uncheck in my GUI to turn on and off. Sorry, I did not make that clear above. Thanks for the good info though.
From PDM
1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address
Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0
6. Destination Host/Network
Interface = inside
IP Address = 0.0.0.0
Mask = 0.0.0.0
7. Protocol and Service, select ICMP
8. Set ICMP Type to "echo-reply"
9. OK
10. Repeat from step 3 but this time set the ICMP type to time-exceeded
11. Repeat from step 3 but this time set the ICMP type to unreachable
12. File > Save Running configuration to flash
1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address
Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0
6. Destination Host/Network
Interface = inside
IP Address = 0.0.0.0
Mask = 0.0.0.0
7. Protocol and Service, select ICMP
8. Set ICMP Type to "echo-reply"
9. OK
10. Repeat from step 3 but this time set the ICMP type to time-exceeded
11. Repeat from step 3 but this time set the ICMP type to unreachable
12. File > Save Running configuration to flash
ASKER
Now that's what I'm talking about. Idiot proof. I'm going to try it just as soon as I finish here other thingy up.
:)
ASKER
Perhaps idiot proof was not quite the right description. I have followed the above directions exactly, but can not ping anything. I deleted the first rule and then created an new on that allowed all ICMP just to test, still no luck.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did not have an outbound rule applied. I tried adding an outbound rule using the below but I still am unable to ping or tracert.
1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address
Interface = Inside
IP Address = 0.0.0.0
Mask = 0.0.0.0
6. Destination Host/Network
Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0
7. Protocol and Service, select ICMP
8. Set ICMP Type to "any"
1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address
Interface = Inside
IP Address = 0.0.0.0
Mask = 0.0.0.0
6. Destination Host/Network
Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0
7. Protocol and Service, select ICMP
8. Set ICMP Type to "any"
ASKER
I was unable to get this working. Now we have upgraded to IOS 8 so point is moot. Thanks to Pete for all his excellent input.
Petes input worked here. :) Same setup.
(Note: Tracert uses Ping technology and protocols and the firewall treats ping and tracert the same*)
PIX Version 6
With regards to Ping, out of the box, a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup clients can ping the inside interface, and the firewalls outside interface can be pinged from outside.
OK to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocol is not connection orientated what that means is (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it wont let ping traffic back in this results in a failure on the client.
Allow Pinging of outside hosts
In light of the above the following will let ping traffic back in.
Access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-group outbound in interface inside
PIX Version 7 and above
Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. Its NOT turned on by default. And the command is inspect icmp but you need to enter the default map first, use the following commands from config terminal mode.
Policy-map global_policy
class inspection_default
inspect icmp
How to STOP interfaces responding to Ping packets
As already stated you can ping an interface on a Cisco firewall if you are directly connected to it, you can turn this OFF using the ICMP command, a lot of people like to disable pinging on the outside interface, in an effort to lessen the risk of a denial of service attack to this the syntax is as follows,
icmp deny any echo outside
*Note this does not apply to INBOUND tracerts these will NOT work without a (fixup protocol icmp) command. In version 7 tracert will not work unless the inspect icmp command has been issued