Re: Applying ACL to Outside interface

mnlatif · ‎11-22-2002

I am testing a PIX before it goes into production network. Maybe i am making a very stupid mistake but i am having troublke in applying an Access list to outside interface. Here is the partial config

+++++++++++++++++++++++++++

nameif ethernet0 outside security0

access-list 103; 2 elements

access-list 103 deny icmp any any (hitcnt=0)

access-list 103 deny ip any any (hitcnt=0)

ip address outside x.x.x.60 255.255.255.248

access-group 103 in interface outside

++++++++++++++++++++++++++++++++++++++++++++++++

But when i ping the outside interface from a client (x.x.x.57), it responds to the pings, however it should have denied based on the Access List.

Below is the capture

______________________________

11:31:09.856507 x.x.x.60 > x.x.x.57: icmp: echo reply(fragment-packet)

11:31:09.858018 X.x.x.57 > x.x.x.60: icmp: echo request(fragment-packet)

________________________________________________

rais · ‎11-22-2002

What does it mean by (fragment-packet)? Did you try sysopt security fragguard feature?

Thanks.

mnlatif · ‎11-22-2002

Still the same thing with sysopt security fragguard feature.

rais · ‎11-22-2002

I think you will only be able to ping the FW's outside interface. Nothing Inside.

Rais.

mnlatif · ‎11-22-2002

Actually it is forwarding traffic for other hosts. Below 10.1.1.1 doesn't exist but the PIX ACL did allow this traffic to come inside.

12:37:14.342053 x.x.x.57 > 10.1.1.1: icmp: echo request(fragment-packet)

12:37:16.341245 x.x.x.57 > 10.1.1.1: icmp: echo request(fragment-packet)

rais · ‎11-22-2002

I only see echo request in your debug output. Are you getting replies as well on the .57 machine?

Thanks.

mnlatif · ‎11-22-2002

I should have use..(config)#icmp permit|deny .... command.

It seems ICMP Packets destined towrds an interface are not controlled by ACL statements.