PIX ICMP problem

spalislam · ‎08-26-2003

Once I turn on ip audit name XXX infor and ip audit name action with drop option, I can't ping my firewall, or devices behind it any more. That is fine. However, I created an ACL to allow these ICMPs to go through, but they get dropped regardless of ACL. ICMP packets go through only when I remove "drop" option from ip audit command.

Any suggestions? Help?

I would like to be able to ping several devices behind the firewall and not to turn of "drop" option of ip audit name XXX action and info.

Here is the config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx encrypted

passwd xxxxxxxencrypted

hostname TE-TEST

domain-name weber.edu

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list Ping_in permit icmp host X.X.8.210 any

pager lines 24

logging on

logging timestamp

logging console notifications

<--- More --->

logging monitor notifications

logging buffered debugging

logging history notifications

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside X.X.8.178 255.255.255.0

ip address inside 192.168.8.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 X.X.8.20-X.X.8.175

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) X.X.8.171 192.168.8.171 netmask 255.255.255.255 0 0

access-group Ping_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.8.1 1

timeout xlate 3:00:00

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Thanks in advance,

SP

scoclayton · ‎08-26-2003

Hi,

The problem is that your IP audit commands "trump" the ACL that you created. In IOS, we do have the ability to add an ACL to certain sigs so they are detected from/to certain hosts and ignored from/to others. However, the PIX does not offer this level of granularity. Your best bet is going to be disabling the signatures you do not want the PIX detecting by using the following command - 'ip audit signature signature_number disable'. Or you can set the informational alarms to an action of alarm only (no real need generally to drop these packets). However, the config above is not complete so I don't know if you are running into a problem here as well. Take a look here for some info on the various 'ip audit' commands.

Anyway, hope this helps.

scoclayton · ‎08-26-2003

This time, with the link. Sorry!

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1101884

spalislam · ‎08-26-2003

Thanks for the info.

I have read in PIX manual that I can assign ACL to that specific signature and filter out ACL traffic before it gets to the signature. However, how do I know which signature number is used for ICMP ECHO, and ICMP Reply?

scoclayton · ‎08-26-2003

Actually, you cannot apply an ACL to the audit command. This is a feature in IOS IDS but not in PIX IDS. Your only option to streamline the signatures is to either have them turned on or off. As for indentifying the exact sigs you are hitting, you would probably need to setup a syslog server to be absolutely sure which sigs were causing the packet drop. In your case however, I would say that you are probably seeing sig ID 2000. Take a look at the following link for a complete list of all of the sigs that the PIX looks for - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1138590

Note that a lot of the ICMP sigs are "Informational" which means that you can enable the action on your "Informational" sigs (alarm) to be less than the actions on your "Attack" sigs (alarm, drop, and reset).

spalislam · ‎08-27-2003

Thanks a lot.

As you suggested, I have removed option "drop" from info sigs, but left it on attack sigs.

This allowed ICMPs. Then I created ACLs to deny ICMPs, except for specific stations. Everything is OK, except the minor detail, which I can live with.

I can not deny ICMPs from inside to their default gateway (E1 on Pix)

Here is the part that regards to ACLs

access-list Ping_in permit icmp host X.X.X.149 any

access-list Ping_in deny icmp any any

access-list Ping_in deny ip any any

access-list Ping_out permit icmp any any echo-reply

access-list Ping_out deny icmp any any

access-list Ping_out permit ip any any

ip audit name out-info info action alarm

ip audit name out-attack attack action alarm drop

ip audit interface inside out-info

ip audit interface inside out-attack

ip audit info action alarm

ip audit attack action alarm drop

access-group Ping_in in interface outside

access-group Ping_out in interface inside

Anyhow, thanks for all the help.

SP