11-17-2006 06:03 AM - edited 03-09-2019 04:54 PM
I have a query for you
regarding enabling ICMP on pix.
1) At one site we have pix, we have configured site to siet VPN on
it. At present we have the command "conduit permit icmp any any",
which enables us to ping any of the internet site. But the customer
wants to block any any and in stead of that he wants to allow icmp
from his LAN (192.168.1.0/24) to any of the outside destination. For
achieving this i have tried to define access-list in many ways as
follows but noe is successful. So for that i require your help. The
commands i tried are as follows.
access-list 110 permit icmp 192.168.1.0 255.255.255.0 any
access-group 110 in inside
conduit permit icmp 192.168.1.0 255.255.255.0 any
icmp permit 192.168.1.0 255.255.255.0 echo-reply outside
icmp permit 192.168.1.0 255.255.255.0 echo outside
The moment i remove the conduit permit icmp any any command and
issue any of the above command i could not ping any of the public
IPs.
Herewith i am attaching the config file for your kind reference.
Looking forward to your reply, i remain.
Thanks and regards,
Sairam Bharati
9818404250
INTPIX# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list 100 permit ip 192.168.1.0 255.255.255.0 host 192.168.101.103
access-list 100 permit ip 192.168.1.0 255.255.255.0 host 192.168.101.71
pager lines 24
logging on
logging timestamp
logging trap notifications
logging host inside 192.168.1.12
mtu outside 1500
mtu inside 1500
ip address outside 203.x.x.181 255.255.255.224
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 203.x.x.169
global (outside) 4 203.x.x.174
global (outside) 5 203.x.x.175
global (outside) 7 203.x.x.180
nat (inside) 0 access-list 100
nat (inside) 7 192.168.1.7 255.255.255.255 0 0
nat (inside) 2 192.168.1.182 255.255.255.255 0 0
nat (inside) 4 192.168.1.206 255.255.255.255 0 0
nat (inside) 5 192.168.1.211 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.x.x.197.202.164 1
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto map 4medica 20 ipsec-isakmp
crypto map 4medica 20 match address 100
crypto map 4medica 20 set peer 64.14.240.65
crypto map 4medica 20 set transform-set strong
crypto map 4medica interface outside
isakmp enable outside
isakmp key ******** address 64.14.240.65 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.20 255.255.255.255 inside
telnet 192.168.1.23 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.12 255.255.255.255 inside
ssh timeout 5
console timeout 0
url-block url-mempool 1500
url-block url-size 4
terminal width 80
11-17-2006 09:14 AM
For security purposes, avoid posting/incluidng any sensitive information such as Outside interface public IP, username/pwd, enable password and so on.
---------------------------------------------
For testing purposes, try to permit 'icmp any any' to ensure ICMP is not blocked by any other issue, i.e bad routing, wrong nat and so on. If this is successful, narrow down who/which subnet can perform ping.
access-list 110 permit icmp 192.168.1.0 255.255.255.0 any
access-group 110 in interface inside
The existing nat 1 and global 1 pair is sufficient to allow internal hosts start pinging to outside.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
BTW, the 'icmp permit' command is to allow/deny ping to any PIX interface from the directly connected segment. As for the conduit statement, you can use ACL to replace this function. Cisco highly recommended ACL as it's more flexible and provide better control. At any time, ACL automatically preferred by PIX (high precedence).
conduit permit icmp any any ---> may remove this
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
Hope this helps. Pls rate all useful post(s)
AK
11-21-2006 02:17 AM
Dear Sir,
This does not solve my problem. I have tried putting ACL many ways. But it does not work. Now i have one question to ask. I have a pix with me. My inside port ip address is 192.168.1.1 and the network connected to it is 192.168.1.0/24. Now i want to ping any outside public Ip (for ex: www.yahoo.com). The moment i am removing "conduit permit icmp any any", i am unable to ping any public IP.
I have tried with
1)conduit permit icmp 192.168.1.0 255.255.255.0 any
2)access-list 110 permit icmp 192.168.1.0 255.255.255.0 any
access-group 110 in interface inside
3)access-list 110 permit icmp any any
But none of them are working except conduit any any.
Any help from yor side will be appreciated by me.
Reagrds,
Sairam Bharati
+91-9818404250
11-22-2006 09:24 AM
Hello,
In PIX 6.3(5) ICMP is *not* stateful. So if access list 100 is applied on the inside and has a 'permit icmp any any', you would need an access list on the lower security level interface allowing ICMP (ie, permit icmp any any, or, preferably, permit icmp any any eq echo-reply)
So to summarize:
on the inside interface
access-list inside_acl permit icmp any any
on the lower security level (outside?)
access-list outside_acl permit icmp any any eq echo-reply
or (less secure)
access-list outside_acl permit icmp any any
and of course the appropriate access-group statements applying the access-lists to the interface.
--Jason
Please rate this message if it helps solve some or all of your issue.
11-22-2006 09:35 AM
Jason is absolutely right. You will have to explicity allow the echo-reply on the outside interface. ICMP is not a single connection but 2 connections. One from inside to outside (Echo) and one from outside to inside ( Echo reply).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: