Solved

Why can I ping my Pix 506e external interface?

Posted on 2008-10-30
4
537 Views
Last Modified: 2012-05-05
I've just finished re-tasking a Pix 506e.
I can connect to it with the client, and get access to the resources behind it that I want.  However, for some reason,  I can still ping the external interface from outside.  What am I missing?







PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx encrypted

passwd xxxxx encrypted

hostname remote

domain-name xxxxxx.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list inpackets deny ip host 0.0.0.0 any

access-list inpackets deny ip 10.0.0.0 255.0.0.0 any

access-list inpackets deny ip 172.16.0.0 255.240.0.0 any

access-list inpackets deny ip 192.168.0.0 255.255.0.0 any

access-list 90 permit icmp 10.10.4.0 255.255.255.0 192.168.224.0 255.255.255.0

access-list 90 permit ip 10.10.4.0 255.255.255.0 192.168.224.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 205.x.x.x 255.255.255.224

ip address inside 10.10.4.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnaddresses 192.168.224.1-192.168.224.20

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inpackets in interface outside

route outside 0.0.0.0 0.0.0.0 205.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community xxxxx

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set CSClient esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto dynamic-map CSecure 10 set transform-set CSClient

crypto dynamic-map CSecure 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map vpnmap 10 ipsec-isakmp dynamic CSecure

crypto map vpnmap client configuration address initiate

crypto map vpnmap client authentication LOCAL

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpnaddresses outside

isakmp nat-traversal 20

isakmp policy 2 authentication rsa-sig

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 1

isakmp policy 2 lifetime 86400

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption 3des

isakmp policy 3 hash md5

isakmp policy 3 group 2

isakmp policy 3 lifetime 86400

vpngroup xxxxxx address-pool vpnaddresses

vpngroup xxxxxx default-domain xxxxxx.com

vpngroup xxxxxx split-tunnel 90

vpngroup xxxxxx idle-time 1800

vpngroup xxxxxx password ********

telnet timeout 5

ssh x.x.x.x 255.255.255.192 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 10

console timeout 0
 

terminal width 80

Cryptochecksum:

: end

Open in new window

0
Comment
Question by:ANSJay
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 125 total points
ID: 22848872
The ICMP command should let you disable this:

icmp deny any echo outside
0
 
LVL 1

Assisted Solution

by:tigerbam
tigerbam earned 125 total points
ID: 22850022
You haven't enabled icmp in the outside interface thats
why you are able to ping the outside interface.

icmp deny any outside

This will block the whole ICMP traffic.
0
 

Author Comment

by:ANSJay
ID: 22853197
I'm just curious as to why it isn't disabled by default, because most of the other pixes I have configured don't allow it by default.
0
 

Author Closing Comment

by:ANSJay
ID: 31511916
Thanks....this did the trick
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now