mgferg
asked on
PIX 501 Deny icmp src /icmp attacks
Hi All,
I have a pix501 connected to broadband router
LAN between these is on 192.168.2.0
2.1 is the router
2.2 is the pix
In the syslog from the pix, I'm getting numerous messages such as
Deny icmp src outside:a.b.c.d dst inside:192.168.2.2 (type 3, code 1) by access-group "outside_access_in".
After a period of time my broadband resets ...
Attached is an extract of the config.
1. What's the best way to prevent these "icmp attacks" from occurring and mimimalizing resources?
2. Anothing else in general that stands out that should be changed?
(btw, also configured for remote access vpn)
Thanks,
Mark
I have a pix501 connected to broadband router
LAN between these is on 192.168.2.0
2.1 is the router
2.2 is the pix
In the syslog from the pix, I'm getting numerous messages such as
Deny icmp src outside:a.b.c.d dst inside:192.168.2.2 (type 3, code 1) by access-group "outside_access_in".
After a period of time my broadband resets ...
Attached is an extract of the config.
1. What's the best way to prevent these "icmp attacks" from occurring and mimimalizing resources?
2. Anothing else in general that stands out that should be changed?
(btw, also configured for remote access vpn)
Thanks,
Mark
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_cryptomap_dyn_20 permit ip any 10.10.20.0 255.255.255.0
access-list 102 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 102 permit ip 192.168.2.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_access_in permit ip host 192.168.2.100 any log
access-list outside_access_in permit ip host 10.10.20.1 any log
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool X 10.10.20.1-10.10.20.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.1.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 inside
http 10.10.10.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup X address-pool VPNpool
vpngroup X split-tunnel 102
vpngroup X idle-time 1800
vpngroup X password ********
telnet 10.1.2.0 255.255.255.0 inside
telnet 10.10.10.0 255.255.255.0 inside
management-access inside
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
thanks for the tips. My service provider can't block either which I thought was strange (?). Can do port blocking but not icmp (obviously not port). Router is a netcomm.
How about sending these to "null/bit bucket" so at least it doesn't give the error and then the main problem, prevent the router from resetting? How can this be done?
(not sure which is better of the two evils - at least if it resets I'm aware of it. If no other resolution, I'll have to prevent this from happening)
How about sending these to "null/bit bucket" so at least it doesn't give the error and then the main problem, prevent the router from resetting? How can this be done?
(not sure which is better of the two evils - at least if it resets I'm aware of it. If no other resolution, I'll have to prevent this from happening)
Well ICMP is not a port on TCP. Its a protocol like TCP.
Perhaps browse through the setup of your router again now you know that ICMP is not a port, there might be another option somewhere to just drop those packets.
Perhaps browse through the setup of your router again now you know that ICMP is not a port, there might be another option somewhere to just drop those packets.
ASKER
yes understand which is why I mentioned "(obviously not port)" - sorry if it wasn't that clear. Unfortunately not possible to disable at router.
So the question now is can I send any icmp queries to a null address, effectively hiding them and preventing other issues?
So the question now is can I send any icmp queries to a null address, effectively hiding them and preventing other issues?
Well, you don't to sent them anywhere. What you want is that those packets are blocked or dropped. And because of the fact the router is resetting due to those pings you would like to have them discarded on the netcom allready.
I'm not that familiar with netcom but you should have a look to see if there is an option on there to block those icmp packets. Or even better jst ignore them so that no reply what so ever goes back out.
I'm not that familiar with netcom but you should have a look to see if there is an option on there to block those icmp packets. Or even better jst ignore them so that no reply what so ever goes back out.
ASKER
Ok, I was thinking along the lines of a "non-existant dmz" - just so they go "somewhere", as to opposed to getting dropped which is causing the problem. Unfortunatly I cannot drop at the router (or SP) which is a pity.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
(apologies for delay, I've been on leave).
Another router is a longer term option. It seems there's nothing I can do about it right now.
Another router is a longer term option. It seems there's nothing I can do about it right now.
If you would like to know how good everything is blocked, check: https://www.grc.com/x/ne.dll?bh0bkyd2 and let it scan the firewall.