RE: PIX firewall and ICMP

From: Maher Odeh (rax_at_netvision.net.il)
Date: 09/25/03

  • Next message: David Lanagan: "Re: Hard Drive keeps filling up"
    Date: Thu, 25 Sep 2003 10:24:07 +0200
    To: "Cat Thrasher" <isd607@co.santa-cruz.ca.us>, "Security-Basics (E-mail)" <security-basics@securityfocus.com>
    
    

    Hi
    If your divisions uses ping to trouble shoot you can allow a specific
    type of ICMP and not ICMP as all , how about something like this :

    access-list outside permit icmp any any echo-reply

    this way you can allow only Echo-reply to the system without the need to
    open all types of ICMP toward the network.

    Hope this been helpful

    -----Original Message-----
    From: Cat Thrasher [mailto:isd607@co.santa-cruz.ca.us]
    Sent: Wednesday, September 24, 2003 7:22 PM
    To: Security-Basics (E-mail)
    Subject: PIX firewall and ICMP

    Please advise your opinions on my problem. I had a permit statement on
    the PIX that would allow ICMP from any to any. Since being hit with
    Nachi, I turned it off. I am being asked my policy on when it will be
    turned back on. I have a rather large network and many "divisions" who
    work independently, yet access the internet thru "my" PIX. They like to
    use ping when trouble-shooting.
    Can I get an opinion on whether or not I should turn this back on...
    Thanks

    Cat Thrasher
    Network Support Analyst
    County of Santa Cruz
    831-454-5367
    cat.thrasher@co.santa-cruz.ca.us

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
     
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: David Lanagan: "Re: Hard Drive keeps filling up"