Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP from the outside

I am running a 515E firewall using S/W 6.2(1)

We are managing a network on the inside of the F/W that is 10.0.0.0/8.

On the outside we have a number of statics -

static (inside,outside) tcp 203.42.151.10 ssh 10.17.100.10 ssh netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.12 10.17.101.4 netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.11 10.17.100.11 netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.9 10.17.101.5 netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.13 10.17.101.6 netmask 255.255.255.255 0 0

We also have an acl for allowing ICMP from particular outside address ranges

access-list acl_outside permit icmp 203.36.212.96 255.255.255.240 any

access-list acl_outside permit icmp 203.36.212.64 255.255.255.240 any .

We also have a static route on the inside

route inside 10.0.0.0 255.0.0.0 10.17.103.253 1

I am using inside nat only.

Now, here's the problem.

If I do a basic ping 10.17.100.1, which is not in the allowable static list, from the outside , I do not get through. This is to be expected as I am using the outside i/f of the outside router as a source address - 203.42.151.14 and the acl on the outside pIX i/f stops it.

However, If I use an allowable src address via an extended pin 203.36.212.65. it succeeds. I can see ICMP traces thorugh the f/w, but no xlates.

Why does this happen?

As a hole has been drilled through the firewall, and no stateful connection is used, has the inside network been compromised ?

2 REPLIES
New Member

Re: ICMP from the outside

As there is no static NAT for the IP 10.17.100.1, one of the possibility could be the NAT 0, since there is a route on the PIX for that subnet. Pl. check if you have NAT 0 configured on the PIX for the subnet containing IP 10.17.100.1. But I don't think this is an issue.

Thanks

New Member
191
Views
0
Helpful
2
Replies