Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

EXAMPLE RULE in PDM online help (PDM online help 4.0 page 240)

The example rule in the manual states this:

The following ACL permits ICMP echo-reply messages into the inside interface. You must allow all other traffic with the last rule. This ACL permits hots on the inside to ping hosts on other remote networks. The following example is the summary view of this rule.

Diagram

1 x any any inside echo-reply alters 300

2 x any any inside ip alerts 300

2 questions...

1 Does it matter if the first rule lets the rest of the traffice in and the second rule only lets in icmp ?

2 does the "rest of the traffic" ahve to ebe everything else ?

It seems this restricts traffic to the dmz coming in. What I am getting at is is it just a good to allow all in and then restrict on the outgoing side?

1 REPLY

Re: EXAMPLE RULE in PDM online help (PDM online help 4.0 page 24

Hello,

I'm actually pretty terrible at looking at the PDM when it comes to rules It just doesn't seem to portray them that clearly.

On a pix if you want to ping something on a lower security level interface you must add an access-list statement that permits echo-reply coming back into the lower security level interface to the higher security level interface or to the natted address.

Unlike other connections icmp is not tracked the same.

Patrick

99
Views
0
Helpful
1
Replies
CreatePlease to create content