Consults on PIX525 the ICMP agreement response question

cl129_lanzhou · ‎01-30-2008

The unit with PIX525, the ICMP agreement has let loose, to in the internal network only can PING to PIX525 boring, other all not be able PING, (outside visit net to be normal) do ask what question is?Below is disposes, thanks!

PIX1# sh run

: Saved

:

PIX Version 7.0(4)

!

hostname PIX1

domain-name zte

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.*

!

interface Ethernet1

nameif inside

security-level 100

ip address *.*.*.* 255.255.255.*

!

interface Ethernet2

nameif *1

security-level 40

ip address *.*.*.* 255.255.255.*

!

interface Ethernet3

nameif *2

security-level 40

ip address *.*.*.* 255.255.255.*

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

access-list 104 extended permit icmp any any

access-list 104 extended permit ip any any

access-list 105 extended permit icmp any any

access-list 105 extended permit ip any any

access-list 106 extended permit icmp any any

access-list 106 extended permit ip any any

access-list 107 extended permit icmp any any

access-list 107 extended permit ip any any

pager lines 24

logging enable

logging trap warnings

logging host inside *.*.*.*

mtu outside 1500

mtu inside 1500

mtu boss 1500

mtu yiyang 1500

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

access-group 106 in interface outside

access-group 104 in interface inside

access-group 105 in interface *1

access-group 107 in interface *2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet *.*.*.* 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

1cmerchant · ‎02-01-2008

Huh?

JORGE RODRIGUEZ · ‎02-01-2008

Chen, I think I understand your question please correct me if Im wrong. Your inside hosts are trying to ping hosts on the oustide internet, if this is whatI understand you need to re-do your icmp access list for imcp or follow bellow options.

1- One option is to use acl similar to the example in link.

e.g.

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

2- Second option is to modify your global firewall policy to inspect imcp.

e.g

policy-map global_policy

class inspection_default

inspect icmp

please refer to this link to understand how PIX/ASA handles ICMP.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Rgds

Jorge

Jorge Rodriguez