PIX 501 Deny icmp src /icmp attacks

Hi All,

I have a pix501 connected to broadband router
LAN between these is on 192.168.2.0
2.1 is the router
2.2 is the pix

In the syslog from the pix, I'm getting numerous messages such as
Deny icmp src outside:a.b.c.d dst inside:192.168.2.2 (type 3, code 1) by access-group "outside_access_in".

After a period of time my broadband resets ...

Attached is an extract of the config.

1. What's the best way to prevent these "icmp attacks" from occurring and mimimalizing resources?
2. Anothing else in general that stands out that should be changed?
(btw, also configured for remote access vpn)

Thanks,
Mark
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_cryptomap_dyn_20 permit ip any 10.10.20.0 255.255.255.0
access-list 102 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 102 permit ip 192.168.2.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_access_in permit ip host 192.168.2.100 any log
access-list outside_access_in permit ip host 10.10.20.1 any log
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool X 10.10.20.1-10.10.20.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.1.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 inside
http 10.10.10.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup X address-pool VPNpool
vpngroup X split-tunnel 102
vpngroup X idle-time 1800
vpngroup X password ********
telnet 10.1.2.0 255.255.255.0 inside
telnet 10.10.10.0 255.255.255.0 inside
management-access inside

Open in new window

mgfergAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
It looks fairly safe to me. You're getting those messages because the icmp are denied (so not getting through.
If you would like to know how good everything is blocked, check: https://www.grc.com/x/ne.dll?bh0bkyd2 and let it scan the firewall.
John MeggersNetwork ArchitectCommented:
I don't think there's much you can do in the PIX 501.  In the current ASA code you can enable threat detection which will allow you to deal with excessive ICMP packets, but the application inspections (fixups) in the older PIX code aren't designed to stop threats.

What kind of router is in front of the PIX?  Maybe you can rate limit there.  If not, it may be time to upgrade to an ASA 5505.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mgfergAuthor Commented:
thanks for the tips. My service provider can't block either which I thought was strange (?). Can do port blocking but not icmp (obviously not port). Router is a netcomm.

How about sending these to "null/bit bucket" so at least it doesn't give the error and then the main problem, prevent the router from resetting? How can this be done?

 (not sure which is better of the two evils - at least if it resets I'm aware of it. If no other resolution, I'll have to prevent this from happening)
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Ernie BeekExpertCommented:
Well ICMP is not a port on TCP. Its a protocol like TCP.
Perhaps browse through the setup of your router again now you know that ICMP is not a port, there might be another option somewhere to just drop those packets.
mgfergAuthor Commented:
yes understand which is why I mentioned "(obviously not port)" - sorry if it wasn't that clear. Unfortunately not possible to disable at router.

So the question now is can I send any icmp queries to a null address, effectively hiding them and preventing other issues?
Ernie BeekExpertCommented:
Well, you don't to sent them anywhere. What you want is that those packets are blocked or dropped. And because of the fact the router is resetting due to those pings you would like to have them discarded on the netcom allready.
I'm not that familiar with netcom but you should have a look to see if there is an option on there to block those icmp packets. Or even better jst ignore them so that no reply what so ever goes back out.
mgfergAuthor Commented:
Ok, I was thinking along the lines of a "non-existant dmz" - just so they go "somewhere", as to opposed to getting dropped which is causing the problem. Unfortunatly I cannot drop at the router (or SP) which is a pity.
Ernie BeekExpertCommented:
Then you might want to look at another router. As I read your question that is hanging because of the pings (isn't it?). If it is that could be caused by the fact that it has to nat and forward all those pings to the firewall. Thats why I suggested to drop them as close to the ISP side as possible (you don't want those getting too far into your network.
mgfergAuthor Commented:
(apologies for delay, I've been on leave).

Another router is a longer term option. It seems there's nothing I can do about it right now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.