Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP trough Pix

Does anyone knows what would happen if a forged ICMP echo reply packet coming from the Internet to a inside host hit the outside interface of the Pix?.

The inside host is static translated on the pix. And an ACL which permits ICMP echo-reply, time-exceeded, source-quench and unreachble to the inside host is configured.

What the Pix will do?

Regards,

Carlos Roque

4 REPLIES
Cisco Employee

Re: ICMP trough Pix

The PIX doesn't do stateful inspection of ICMP packets as far as I'm aware, so if an echo-reply came in, even without an echo having first gone out, I would say the packet will be allowed in to the internal host.

New Member

Re: ICMP trough Pix

Ok, you are right the pix does not perform stateful inspection on ICMP packets, but since there was not connection originated from the inside interface it should block the ICMP reply packet once it hits the outside interface.

Regrads,

Carlos Roque

Re: ICMP trough Pix

For the icmp packets to cross the PIX it needs a translation rule and an access list rule to permit it. In your example, the translation rule is there with the static and you have specified the acl to allow the echo-reply in. My money would be on that the packet would be allowed in.

Hope it helps.

Steve

New Member

Re: ICMP trough Pix

Right,

But how come the Pix will allow this if there was not an ICMP echo connection originated from the internal host ?.

If you are correct, then the Pix is not performing its job in securing the inside segment. I am pretty sure Checkpoint Firewall-1 will not allow this to go trough it.

Anyone could hijack resources located either on a DMZ or inside LAN.

Regards,

Carlos Roque

99
Views
0
Helpful
4
Replies