Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
227
Views
0
Helpful
1
Replies

EXAMPLE RULE in PDM online help (PDM online help 4.0 page 240)

robert.l.mcwhorter
Level 1
Level 1

‎05-01-2006 08:32 AM - edited ‎03-09-2019 02:46 PM

The example rule in the manual states this:

The following ACL permits ICMP echo-reply messages into the inside interface. You must allow all other traffic with the last rule. This ACL permits hots on the inside to ping hosts on other remote networks. The following example is the summary view of this rule.

Diagram

1 x any any inside echo-reply alters 300

2 x any any inside ip alerts 300

2 questions...

1 Does it matter if the first rule lets the rest of the traffice in and the second rule only lets in icmp ?

2 does the "rest of the traffic" ahve to ebe everything else ?

It seems this restricts traffic to the dmz coming in. What I am getting at is is it just a good to allow all in and then restrict on the outgoing side?

Labels:
0 Helpful
1 Reply 1

Patrick Laidlaw
Level 4
Level 4

‎05-02-2006 11:31 PM

Hello,

I'm actually pretty terrible at looking at the PDM when it comes to rules It just doesn't seem to portray them that clearly.

On a pix if you want to ping something on a lower security level interface you must add an access-list statement that permits echo-reply coming back into the lower security level interface to the higher security level interface or to the natted address.

Unlike other connections icmp is not tracked the same.

Patrick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents