08-26-2003 12:55 PM - edited 02-20-2020 10:57 PM
Once I turn on ip audit name XXX infor and ip audit name action with drop option, I can't ping my firewall, or devices behind it any more. That is fine. However, I created an ACL to allow these ICMPs to go through, but they get dropped regardless of ACL. ICMP packets go through only when I remove "drop" option from ip audit command.
Any suggestions? Help?
I would like to be able to ping several devices behind the firewall and not to turn of "drop" option of ip audit name XXX action and info.
Here is the config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxxxencrypted
hostname TE-TEST
domain-name weber.edu
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list Ping_in permit icmp host X.X.8.210 any
pager lines 24
logging on
logging timestamp
logging console notifications
<--- More --->
logging monitor notifications
logging buffered debugging
logging history notifications
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside X.X.8.178 255.255.255.0
ip address inside 192.168.8.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 X.X.8.20-X.X.8.175
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) X.X.8.171 192.168.8.171 netmask 255.255.255.255 0 0
access-group Ping_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.8.1 1
timeout xlate 3:00:00
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Thanks in advance,
SP
08-26-2003 02:15 PM
Hi,
The problem is that your IP audit commands "trump" the ACL that you created. In IOS, we do have the ability to add an ACL to certain sigs so they are detected from/to certain hosts and ignored from/to others. However, the PIX does not offer this level of granularity. Your best bet is going to be disabling the signatures you do not want the PIX detecting by using the following command - 'ip audit signature signature_number disable'. Or you can set the informational alarms to an action of alarm only (no real need generally to drop these packets). However, the config above is not complete so I don't know if you are running into a problem here as well. Take a look here for some info on the various 'ip audit' commands.
Anyway, hope this helps.
08-26-2003 02:20 PM
This time, with the link. Sorry!
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1101884
08-26-2003 02:49 PM
Thanks for the info.
I have read in PIX manual that I can assign ACL to that specific signature and filter out ACL traffic before it gets to the signature. However, how do I know which signature number is used for ICMP ECHO, and ICMP Reply?
08-26-2003 06:38 PM
Actually, you cannot apply an ACL to the audit command. This is a feature in IOS IDS but not in PIX IDS. Your only option to streamline the signatures is to either have them turned on or off. As for indentifying the exact sigs you are hitting, you would probably need to setup a syslog server to be absolutely sure which sigs were causing the packet drop. In your case however, I would say that you are probably seeing sig ID 2000. Take a look at the following link for a complete list of all of the sigs that the PIX looks for - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1138590
Note that a lot of the ICMP sigs are "Informational" which means that you can enable the action on your "Informational" sigs (alarm) to be less than the actions on your "Attack" sigs (alarm, drop, and reset).
08-27-2003 02:45 PM
Thanks a lot.
As you suggested, I have removed option "drop" from info sigs, but left it on attack sigs.
This allowed ICMPs. Then I created ACLs to deny ICMPs, except for specific stations. Everything is OK, except the minor detail, which I can live with.
I can not deny ICMPs from inside to their default gateway (E1 on Pix)
Here is the part that regards to ACLs
access-list Ping_in permit icmp host X.X.X.149 any
access-list Ping_in deny icmp any any
access-list Ping_in deny ip any any
access-list Ping_out permit icmp any any echo-reply
access-list Ping_out deny icmp any any
access-list Ping_out permit ip any any
ip audit name out-info info action alarm
ip audit name out-attack attack action alarm drop
ip audit interface inside out-info
ip audit interface inside out-attack
ip audit info action alarm
ip audit attack action alarm drop
access-group Ping_in in interface outside
access-group Ping_out in interface inside
Anyhow, thanks for all the help.
SP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide