04-20-2004 08:46 AM - edited 02-20-2020 11:21 PM
According to the book I have on pix firewalls and what I know from dealing with routers and switches access lists define what traffic is allowed outside of the network. With the pix access lists can only be applied one way, to the interface they are entering, not leaving. This is my understanding, but when I do an ICMP command:
PIX1(config)# access-list ethernet1 permit icmp any any echo-reply
PIX1(config)# access-list ethernet1 permit icmp any any unreachable
PIX1(config)# access-group ethernet1 in interface inside
This does not work, but if I apply the access group to the outside interface it works. I would like a better understanding of why this is the way it is.
Thanks
Solved! Go to Solution.
04-20-2004 08:56 AM
This works because the pix does not have session-state awareness for icmp traffic the way that it does for tcp and udp traffic.
By default, access from a higher to a lower interface is permitted, unless you have an acl applies to the higer interface - then only what the acl allows will be permitted. So you can send the icmp echo request outbound. However for the reply to be sent back in, you need to allow that explicitly in an acl that is applied on the outside interface, because the pix will not allow all outside traffic by default.
Similarly for icmp unreachables, although I would caution that being part of the config. Only allow the unreachables due to ttl expired to aid in path mtu detection, not all unreachables.
Let me know if this helps.
04-20-2004 08:56 AM
This works because the pix does not have session-state awareness for icmp traffic the way that it does for tcp and udp traffic.
By default, access from a higher to a lower interface is permitted, unless you have an acl applies to the higer interface - then only what the acl allows will be permitted. So you can send the icmp echo request outbound. However for the reply to be sent back in, you need to allow that explicitly in an acl that is applied on the outside interface, because the pix will not allow all outside traffic by default.
Similarly for icmp unreachables, although I would caution that being part of the config. Only allow the unreachables due to ttl expired to aid in path mtu detection, not all unreachables.
Let me know if this helps.
04-20-2004 09:07 AM
Great. That clears it right up for me. Thank You.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide