Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
7
Helpful
5
Replies

Cannot ping server behind PIX?!

Go to solution
homeboarder8
Level 1
Level 1

‎12-17-2007 04:31 AM - edited ‎03-12-2019 05:51 PM

I have a Web/DNS server behind a PIX firewall. I cannot ping it. What access-list do I need to allow ping traffic through? Or is it even nessesary to allow pings, could that be a security risk for things such as DOS?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
husycisco
Level 7
Level 7
In response to homeboarder8

‎12-17-2007 05:03 AM

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing

policy-map global_policy

class inspection_default

no inspect icmp

View solution in original post

0 Helpful
5 Replies 5

Go to solution
husycisco
Level 7
Level 7

‎12-17-2007 04:37 AM

Hi Austin

Try this

policy-map global_policy

class inspection_default

inspect icmp

You better leave icmp enabled for connectivity test purposes. When you finish testing, disable it for avoiding possible ping flood attacks.

Regards

Go to solution
homeboarder8
Level 1
Level 1
In response to husycisco

‎12-17-2007 04:45 AM

Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?

Thanks for your help!

0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to homeboarder8

‎12-17-2007 05:03 AM

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing

policy-map global_policy

class inspection_default

no inspect icmp

0 Helpful

Go to solution
homeboarder8
Level 1
Level 1
In response to husycisco

‎12-17-2007 05:12 AM

Okay one thing I'm not sure if this makes a difference but I am using a PIX 501, and I'm not farmiliar with the policy-map... are those valid commands for a 501?

Thanks!

0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to homeboarder8

‎12-17-2007 05:41 AM

Hmm if doesnt work you can try this

icmp permit any dmz

icmp permit any inside

or fixup protocol icmp

if it doesnt work also, write ACLs as

access-list dmzrulenamehere permit icmp any any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card