Cannot ping server behind PIX?!

Answered Question
Dec 17th, 2007

I have a Web/DNS server behind a PIX firewall. I cannot ping it. What access-list do I need to allow ping traffic through? Or is it even nessesary to allow pings, could that be a security risk for things such as DOS?

Correct Answer by husycisco about 9 years 2 months ago

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing


policy-map global_policy

class inspection_default

no inspect icmp


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
husycisco Mon, 12/17/2007 - 04:37

Hi Austin

Try this


policy-map global_policy

class inspection_default

inspect icmp


You better leave icmp enabled for connectivity test purposes. When you finish testing, disable it for avoiding possible ping flood attacks.


Regards


homeboarder8 Mon, 12/17/2007 - 04:45

Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?


Thanks for your help!

Correct Answer
husycisco Mon, 12/17/2007 - 05:03

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing


policy-map global_policy

class inspection_default

no inspect icmp


homeboarder8 Mon, 12/17/2007 - 05:12

Okay one thing I'm not sure if this makes a difference but I am using a PIX 501, and I'm not farmiliar with the policy-map... are those valid commands for a 501?


Thanks!

husycisco Mon, 12/17/2007 - 05:41

Hmm if doesnt work you can try this


icmp permit any dmz

icmp permit any inside


or fixup protocol icmp


if it doesnt work also, write ACLs as


access-list dmzrulenamehere permit icmp any any







Actions

This Discussion