RE: unable to ping behind cisco pix firewall even no deny access list

From: Charlie Winckless (charliew_at_netarch.com)
Date: 12/08/03

  • Next message: Wayne S. Ackley: "RE: forcdos.exe, msagent directory, DOS or warez??" 
    Date: Mon, 8 Dec 2003 14:04:31 -0700
To: "Hilal Hussein" <hilalma@hotmail.com>, <security-basics@securityfocus.com>

    > -----Original Message-----
    > From: Hilal Hussein [mailto:hilalma@hotmail.com]
    > Sent: Saturday, December 06, 2003 8:59 AM
    > To: security-basics@securityfocus.com
    > Cc: sashman@ua.fm; sjackson@horizonusa.com

    Comments in-line, below...

    > Till now, we are ok, let me list the problems and the crazy issues:
    >
    > I can browse the internet, telnet, msn, chating, but I CAN"T
    > do ping any
    > internet host (like yahoo, or cnn) and also some users can't
    > access the
    > internet web based BANK LOGGIN ACCOUNT, and maybe other
    > internet services!
    >

    On the PIX, ping (or any ICMP) is not stateful.
    You'll have to explicitly allow the ICMP types that
    you wish into your network with an ACL.

    I generally allow echo-reply (depending on the policy of the
    customer w.r.t clients being able to ping), unreachable,
    time-exceeded and parameter-problem.

    GES.
    >
    > Moreover, I am using the Kiwi Syslog Daemon software to audit
    > logs of the
    > pix firewall, but it is not giving anything on the screen as
    > it is saying
    > "unable to open UDP socket on port 514".
    > Please tell me, is this issue related to the aboved mentioned
    > issue or what?
    > if not, how to resolve it, knowing that i installed Fport and
    > it showed me
    > that udp port is already used by the sytem, with no service
    > name mentioned.

    514/UDP would be syslog. Some other syslog daemon apparently
    has it grabbed. If you get Vision from Foundstone, it may
    well tell you what's up.

    As to the individual sites that are causing issues: do you
    have any common theme? Do you have activeX or java filtering
    on the PIX enabled?

    > Regards,
    > Hilal

    -- Charlie

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Wayne S. Ackley: "RE: forcdos.exe, msagent directory, DOS or warez??"

    Relevant Pages

    • Re: Cannot simultaneously share DSL connection
      ... Did you typed the ID and PW of the Internet provider into the WAN DSL ... Computer 2: Nancy ... Target Nancy ... "DIANNE ping Nancy" ...
      (microsoft.public.windowsxp.network_web)
    • Re: Page cannot be found
      ... I have been trying to help someone with a similar problem, ping of yahoo ... line "Internet Explorer Q824145 size 1.23mb used occasionally last used ... > winsock getting corrupted by installation of software can be other ... > IP address automatically", click on the DNS tab, disable DNS here, click ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: AD, DHCP or maybe DNS problem?
      ... worked and my trace gets out to MSN, but internet still ... Ping statistics for 127.0.0.1: ... another host on the network. ... Even the server and the laptop that the internet works on. ...
      (microsoft.public.windows.server.active_directory)
    • Re: AD, DHCP or maybe DNS problem?
      ... RRAS also works perfectly. ... uncheck the box when configuring my RRAS then it works correctly?!? ... but can't use the internet on) below are my ... Ping statistics for 127.0.0.1: ...
      (microsoft.public.windows.server.active_directory)
    • Re: AD, DHCP or maybe DNS problem?
      ... RRAS firewall enabled I have the problem, If i remove the basic firewall when ... worked and my trace gets out to MSN, but internet still ... Ping statistics for 127.0.0.1: ... Approximate round trip times in milli-seconds: ...
      (microsoft.public.windows.server.active_directory)
    • Quantcast