Re: ICMP not keeping states? (PIX 6.3.3)

From: Wilykiote (ye_at_hright.com)
Date: 10/04/04


Date: 4 Oct 2004 15:16:58 -0500

Michael <kdo-jh7@iximail.com.this.is.a.real.email.address.even.if.weird>
wrote in news:cjs8f7$6rq$2@news.brutele.be:

> Good evening,
>
> I am deploying a PIX 506. The external IP address is the internet, the
> inside network is from the private ip scope.
>
> The inside network has to be nated behing the external IP of the
> gateway. This works fine.
>
> I've got two access-lists applied on the appliance. On the inside
> interface, I've got rules specifying what kind of services the inside
> can reach. On the external interface, nothing.
>
> Users from the inside network need to be able to ping the outside world.
> But, the line in the acl applied on the inside interface allowss icmp
> any_any... and it does not work!
>
> What do I have to add to the PIX (6.3.3) to make sure the inside users
> can ping the outside world?
>
> Many many thanks,
>
> /michael
>
>

Sounds like a config quirk created in teh PDM itself. You need to telnet or
console into it and check the running config. You may want to look for a
line like
icmp deny any echo-reply inside
If you are not comfortable using the CLI fomr a console, Go to File>Show
running Config in New window and look for that entry.
IF it is there, you can go to the CLI screen in the PDM or via consol and
type in:
no icmp deny any echo-reply inside
then type in :
icmp allow any echo-reply inside
then try typing in :
write mem
This is merely a specualtion without seeing the config file itself



Relevant Pages

  • PIX 515E dropping existing TCP connections
    ... I recently took over administration of a PIX 515E. ... network, and VPN to the PIX to access a private network. ... When the VPN is connected, I can SSH to hosts on the private network. ... PIX drops the connection after transferring just a few kilobytes. ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] bypassing PIX limitation
    ... setup another Pix box who's sole purpose is to connect to the ... Hopefully the following information will be clearer: The network behind ... assign the outside ip block from the partner to your global ... Can packets going into a VPN tunnel be NATed? ...
    (Firewall-Wizards)
  • [fw-wiz] Followup: An interesting VPN problem
    ... - Repeat above steps for the remote PIX, ... all traffic on the remote network is pushed ... > (including the traffic that should ultimately end up on the Internet). ... > that to work (using source routing), but I'd like to use a peripheral ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Re: IP aliasing behind a PIX
    ... > network behind the PIX, but ... >> IPs behind a PIX firewall. ... >> network, the aliases work fine (i.e., the machines are accessible using ...
    (Firewall-Wizards)
  • Re: Too many firewalls?
    ... > can't see it on my network places. ... If you just had the PIX 501 connected to the modem and nothing else, ... 501 would use the ISP's DNS servers, the machines connected to the PIX, ... So what that there are three or four machines that the PIX is protecting, ...
    (comp.security.firewalls)