PIX Firewall problem

Unanswered Question
Feb 19th, 2008

I have configured a cisco pix firewall with 7.x IOS.

Everything is working fine. But I am having a strange problem with a server in inside.

I just allowed the ICMP for inside server. Nothing else.

But client is still able to open remote desktop on the client machine. Nothing is there except the static and access-list.

static (inside,dmz) netmask

access-list dmz_acl extended permit icmp host host

Why it is so. please help me out

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wasiimcisco Fri, 02/22/2008 - 00:34

Thanks for the reply, client is in dmz and server is located in inside of pix firewall.

johnd2310 Mon, 02/25/2008 - 19:53


Post your config, making sure you remove any sensitive info.



wasiimcisco Tue, 02/26/2008 - 01:56

please the configuration and do let me know why user are able to do all things though I have only permitted only icmp.

dcpix# sh run

: Saved


PIX Version 7.2(3)8


hostname dcpix

enable password xxx



interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.61 standby x.x.x.62


interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address standby


interface Ethernet2

speed 100

duplex full

nameif dmz

security-level 90

ip address standby


interface Ethernet3


no nameif

no security-level

no ip address


interface Ethernet4


no nameif

no security-level

no ip address


interface Ethernet5


no nameif

no security-level

no ip address


interface Ethernet6


no nameif

no security-level

no ip address


interface Ethernet7

description LAN/STATE Failover Interface

speed 100

duplex full


passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list icmp extended permit ip host any

access-list icmp_out extended permit tcp any host x.x.x.60

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500


failover lan unit primary

failover lan interface faillink Ethernet7

failover lan enable

failover link faillink Ethernet7

failover interface ip faillink standby

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

nat (dmz) 1

static (inside,dmz) netmask

static (dmz,outside) netmask

access-group icmp_out in interface outside

access-group icmp in interface dmz

route outside x.x.x.34 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global

prompt hostname context


: end

parvees123 Sat, 03/01/2008 - 00:20


Firstly , there in to ACL entry as you mentioned in the first message ( acl_dmz) .

Secondly , in the configuration I can see you are permitting IP access in the access-list for the host , so everything is opened for this server ( tcp,udp and ICMP)

You have a static nat entry for dmz and inside , so all the ports will work in this case

Please change the ACL entry only to icmp it it wll work fine.




This Discussion