Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
3
Helpful
4
Replies

ICMP Problem

d.sekar
Level 1
Level 1

‎11-17-2006 06:03 AM - edited ‎03-09-2019 04:54 PM

I have a query for you

regarding enabling ICMP on pix.

1) At one site we have pix, we have configured site to siet VPN on

it. At present we have the command "conduit permit icmp any any",

which enables us to ping any of the internet site. But the customer

wants to block any any and in stead of that he wants to allow icmp

from his LAN (192.168.1.0/24) to any of the outside destination. For

achieving this i have tried to define access-list in many ways as

follows but noe is successful. So for that i require your help. The

commands i tried are as follows.

access-list 110 permit icmp 192.168.1.0 255.255.255.0 any

access-group 110 in inside

conduit permit icmp 192.168.1.0 255.255.255.0 any

icmp permit 192.168.1.0 255.255.255.0 echo-reply outside

icmp permit 192.168.1.0 255.255.255.0 echo outside

The moment i remove the conduit permit icmp any any command and

issue any of the above command i could not ping any of the public

IPs.

Herewith i am attaching the config file for your kind reference.

Looking forward to your reply, i remain.

Thanks and regards,

Sairam Bharati

9818404250

sairam.bharati@gmail.com

INTPIX# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

no names

access-list 100 permit ip 192.168.1.0 255.255.255.0 host 192.168.101.103

access-list 100 permit ip 192.168.1.0 255.255.255.0 host 192.168.101.71

pager lines 24

logging on

logging timestamp

logging trap notifications

logging host inside 192.168.1.12

mtu outside 1500

mtu inside 1500

ip address outside 203.x.x.181 255.255.255.224

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 203.x.x.169

global (outside) 4 203.x.x.174

global (outside) 5 203.x.x.175

global (outside) 7 203.x.x.180

nat (inside) 0 access-list 100

nat (inside) 7 192.168.1.7 255.255.255.255 0 0

nat (inside) 2 192.168.1.182 255.255.255.255 0 0

nat (inside) 4 192.168.1.206 255.255.255.255 0 0

nat (inside) 5 192.168.1.211 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.x.x.197.202.164 1

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto map 4medica 20 ipsec-isakmp

crypto map 4medica 20 match address 100

crypto map 4medica 20 set peer 64.14.240.65

crypto map 4medica 20 set transform-set strong

crypto map 4medica interface outside

isakmp enable outside

isakmp key ******** address 64.14.240.65 netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 192.168.1.20 255.255.255.255 inside

telnet 192.168.1.23 255.255.255.255 inside

telnet timeout 5

ssh 192.168.1.12 255.255.255.255 inside

ssh timeout 5

console timeout 0

url-block url-mempool 1500

url-block url-size 4

terminal width 80

Labels:
0 Helpful
4 Replies 4

a.kiprawih
Level 7
Level 7

‎11-17-2006 09:14 AM

For security purposes, avoid posting/incluidng any sensitive information such as Outside interface public IP, username/pwd, enable password and so on.

---------------------------------------------

For testing purposes, try to permit 'icmp any any' to ensure ICMP is not blocked by any other issue, i.e bad routing, wrong nat and so on. If this is successful, narrow down who/which subnet can perform ping.

access-list 110 permit icmp 192.168.1.0 255.255.255.0 any

access-group 110 in interface inside

The existing nat 1 and global 1 pair is sufficient to allow internal hosts start pinging to outside.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

BTW, the 'icmp permit' command is to allow/deny ping to any PIX interface from the directly connected segment. As for the conduit statement, you can use ACL to replace this function. Cisco highly recommended ACL as it's more flexible and provide better control. At any time, ACL automatically preferred by PIX (high precedence).

conduit permit icmp any any ---> may remove this

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Hope this helps. Pls rate all useful post(s)

AK

0 Helpful

d.sekar
Level 1
Level 1
In response to a.kiprawih

‎11-21-2006 02:17 AM

Dear Sir,

This does not solve my problem. I have tried putting ACL many ways. But it does not work. Now i have one question to ask. I have a pix with me. My inside port ip address is 192.168.1.1 and the network connected to it is 192.168.1.0/24. Now i want to ping any outside public Ip (for ex: www.yahoo.com). The moment i am removing "conduit permit icmp any any", i am unable to ping any public IP.

I have tried with

1)conduit permit icmp 192.168.1.0 255.255.255.0 any

2)access-list 110 permit icmp 192.168.1.0 255.255.255.0 any

access-group 110 in interface inside

3)access-list 110 permit icmp any any

But none of them are working except conduit any any.

Any help from yor side will be appreciated by me.

Reagrds,

Sairam Bharati

+91-9818404250

sairam.bharati@gmail.com

0 Helpful

jgervia_2
Level 1
Level 1
In response to d.sekar

‎11-22-2006 09:24 AM

Hello,

In PIX 6.3(5) ICMP is *not* stateful. So if access list 100 is applied on the inside and has a 'permit icmp any any', you would need an access list on the lower security level interface allowing ICMP (ie, permit icmp any any, or, preferably, permit icmp any any eq echo-reply)

So to summarize:

on the inside interface

access-list inside_acl permit icmp any any

on the lower security level (outside?)

access-list outside_acl permit icmp any any eq echo-reply

or (less secure)

access-list outside_acl permit icmp any any

and of course the appropriate access-group statements applying the access-lists to the interface.

--Jason

Please rate this message if it helps solve some or all of your issue.

zubairjalal
Level 1
Level 1
In response to jgervia_2

‎11-22-2006 09:35 AM

Jason is absolutely right. You will have to explicity allow the echo-reply on the outside interface. ICMP is not a single connection but 2 connections. One from inside to outside (Echo) and one from outside to inside ( Echo reply).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents