Cannot ping server behind PIX?!

Answered Question
Dec 17th, 2007
User Badges:

I have a Web/DNS server behind a PIX firewall. I cannot ping it. What access-list do I need to allow ping traffic through? Or is it even nessesary to allow pings, could that be a security risk for things such as DOS?

Correct Answer by husycisco about 9 years 7 months ago

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing


policy-map global_policy

class inspection_default

no inspect icmp


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
husycisco Mon, 12/17/2007 - 04:37
User Badges:
  • Gold, 750 points or more

Hi Austin

Try this


policy-map global_policy

class inspection_default

inspect icmp


You better leave icmp enabled for connectivity test purposes. When you finish testing, disable it for avoiding possible ping flood attacks.


Regards


homeboarder8 Mon, 12/17/2007 - 04:45
User Badges:

Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?


Thanks for your help!

Correct Answer
husycisco Mon, 12/17/2007 - 05:03
User Badges:
  • Gold, 750 points or more

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing


policy-map global_policy

class inspection_default

no inspect icmp


homeboarder8 Mon, 12/17/2007 - 05:12
User Badges:

Okay one thing I'm not sure if this makes a difference but I am using a PIX 501, and I'm not farmiliar with the policy-map... are those valid commands for a 501?


Thanks!

husycisco Mon, 12/17/2007 - 05:41
User Badges:
  • Gold, 750 points or more

Hmm if doesnt work you can try this


icmp permit any dmz

icmp permit any inside


or fixup protocol icmp


if it doesnt work also, write ACLs as


access-list dmzrulenamehere permit icmp any any







Actions

This Discussion