01-30-2008 06:22 PM - edited 03-11-2019 04:56 AM
The unit with PIX525, the ICMP agreement has let loose, to in the internal network only can PING to PIX525 boring, other all not be able PING, (outside visit net to be normal) do ask what question is?Below is disposes, thanks!
PIX1# sh run
: Saved
:
PIX Version 7.0(4)
!
hostname PIX1
domain-name zte
enable password xxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.*
!
interface Ethernet1
nameif inside
security-level 100
ip address *.*.*.* 255.255.255.*
!
interface Ethernet2
nameif *1
security-level 40
ip address *.*.*.* 255.255.255.*
!
interface Ethernet3
nameif *2
security-level 40
ip address *.*.*.* 255.255.255.*
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
access-list 104 extended permit icmp any any
access-list 104 extended permit ip any any
access-list 105 extended permit icmp any any
access-list 105 extended permit ip any any
access-list 106 extended permit icmp any any
access-list 106 extended permit ip any any
access-list 107 extended permit icmp any any
access-list 107 extended permit ip any any
pager lines 24
logging enable
logging trap warnings
logging host inside *.*.*.*
mtu outside 1500
mtu inside 1500
mtu boss 1500
mtu yiyang 1500
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
access-group 106 in interface outside
access-group 104 in interface inside
access-group 105 in interface *1
access-group 107 in interface *2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet *.*.*.* 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
02-01-2008 01:14 PM
Huh?
02-01-2008 05:16 PM
Chen, I think I understand your question please correct me if Im wrong. Your inside hosts are trying to ping hosts on the oustide internet, if this is whatI understand you need to re-do your icmp access list for imcp or follow bellow options.
1- One option is to use acl similar to the example in link.
e.g.
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
2- Second option is to modify your global firewall policy to inspect imcp.
e.g
policy-map global_policy
class inspection_default
inspect icmp
please refer to this link to understand how PIX/ASA handles ICMP.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: