basic pix 7.0(1) icmp question

basic pix 7.0(1) icmp question

am 18.07.2007 09:09:43 von Mak

this should not be a challange...

i want to deny icmp to the outside interface:

access-list acl_outside; 4 elements
access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq ftp (hitcnt=3531)
access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq www (hitcnt=36336)
access-list acl_outside line 3 extended permit tcp any host 1.2.3.4 eq 81 (hitcnt=2130)
access-list acl_outside line 4 extended deny icmp any interface outside (hitcnt=0)

my ping to the outside interface is still being answered...
what's going on?

PS:
I would like to allow ping to inside host, and would add:

access-list acl_outside extended permit icmp any host 1.2.3.4

correct?

Re: basic pix 7.0(1) icmp question

am 18.07.2007 12:15:23 von Mak

mak wrote:
> this should not be a challange...
>
> i want to deny icmp to the outside interface:
>
> access-list acl_outside; 4 elements
> access-list acl_outside line 1 extended permit tcp any host 1.2.3.4 eq
> ftp (hitcnt=3531)
> access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq
> www (hitcnt=36336)
> access-list acl_outside line 3 extended permit tcp any host 1.2.3.4 eq
> 81 (hitcnt=2130)
> access-list acl_outside line 4 extended deny icmp any interface outside
> (hitcnt=0)
>
> my ping to the outside interface is still being answered...
> what's going on?
>
> PS:
> I would like to allow ping to inside host, and would add:
>
> access-list acl_outside extended permit icmp any host 1.2.3.4
>
> correct?


found the problem:
icmp deny any outside

Re: basic pix 7.0(1) icmp question

am 18.07.2007 18:24:53 von Jens Hoffmann

> found the problem:
> icmp deny any outside

Doesn't this forbid any icmp message?

like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very
seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION
UNREACHABLE".

But you are probably sure, that you want to do a blind network flight.

Cheers,
Jens

Re: basic pix 7.0(1) icmp question

am 19.07.2007 07:49:12 von Mak

Jens Hoffmann wrote:
>> found the problem:
>> icmp deny any outside
>
> Doesn't this forbid any icmp message?
>
> like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very
> seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION
> UNREACHABLE".
>
> But you are probably sure, that you want to do a blind network flight.
>
> Cheers,
> Jens
yes it does, but customer wants it that way ...

Re: basic pix 7.0(1) icmp question

am 19.07.2007 18:18:30 von Jens Hoffmann

> yes it does, but customer wants it that way ...

Make sure to have a small note signed, that he is aware
of the fact, that he will have problems in the future.

Cheers,
Jens

Re: basic pix 7.0(1) icmp question

am 22.07.2007 09:55:11 von roberson

In article <5g6t6lF3fb58nU1@mid.uni-berlin.de>,
Jens Hoffmann wrote:

>> found the problem:
>> icmp deny any outside

>Doesn't this forbid any icmp message?

>like: "FRAGMENTATION_NEEDED_BUT_DF_SET", "Source_QUENCH" (ok, very
>seldom these days), "TIME_EXCEEDED", "PARAMETER PROBLEM", "DESTINATION
>UNREACHABLE".

Yes, but only to the PIX itself. The 'icmp' command only controls
the ICMP messages that the PIX handles on its own behalf; for ICMP
messages headed to hosts "inside", access-group has control.