12-17-2007 04:31 AM - edited 03-12-2019 05:51 PM
I have a Web/DNS server behind a PIX firewall. I cannot ping it. What access-list do I need to allow ping traffic through? Or is it even nessesary to allow pings, could that be a security risk for things such as DOS?
Solved! Go to Solution.
12-17-2007 05:03 AM
When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing
policy-map global_policy
class inspection_default
no inspect icmp
12-17-2007 04:37 AM
Hi Austin
Try this
policy-map global_policy
class inspection_default
inspect icmp
You better leave icmp enabled for connectivity test purposes. When you finish testing, disable it for avoiding possible ping flood attacks.
Regards
12-17-2007 04:45 AM
Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?
Thanks for your help!
12-17-2007 05:03 AM
When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing
policy-map global_policy
class inspection_default
no inspect icmp
12-17-2007 05:12 AM
Okay one thing I'm not sure if this makes a difference but I am using a PIX 501, and I'm not farmiliar with the policy-map... are those valid commands for a 501?
Thanks!
12-17-2007 05:41 AM
Hmm if doesnt work you can try this
icmp permit any dmz
icmp permit any inside
or fixup protocol icmp
if it doesnt work also, write ACLs as
access-list dmzrulenamehere permit icmp any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: