Re: [fw-wiz] PIX 515 7.1 vs: 8.0

Hey Brian--

Pings going through a work a little differently than other traffic like,
say, TCP. With TCP and UDP return traffic is implicitly allowed through the
PIX *if* the PIX can identify what "connection" or "session" it belongs to.
This is why you do not have to explicitly allow return traffic on the
outside interface.

That is not the case with ICMP. With ICMP, you must allow echo-replies on
the DMZ or outsize interfaces. For example, on a PIX that only services
traffic originating from the inside interface to the outside interface, I
want ping and traceroute to work. So I have this ACL applied to the outside

access-list Inbound extended permit icmp any any echo-reply
access-list Inbound extended permit icmp any any time-exceeded

You would need to do the same with an ACL applied to the DMZ interface.


On Sat, Mar 19, 2011 at 9:04 PM, Brian Blater <brb.lists@xxxxxxxxx> wrote:

On Sat, Mar 19, 2011 at 3:41 PM, Christopher J. Wargaski
<wargo1@xxxxxxxxx> wrote:
One new question about this is if my inside interface is a security
100 and my dmz is a security 50 and I have no ACL defined on the
inside interface, how come a ping from the inside to the a device on
the dmz does not work? The only ACLs on the inside are the implicit
rules any to any less secure and any any deny. Is it that I would need
to have an additional rule on the dmz to allow icmp from the inside to
the dmz?

Thank you for the help. If you can't tell, I know enough to be
dangerous, but certainly not enough to be a guru at this.


firewall-wizards mailing list