Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
2
Replies

Pix 501 ICMP Access List Question

Go to solution
khotaling
Level 1
Level 1

‎04-20-2004 08:46 AM - edited ‎02-20-2020 11:21 PM

According to the book I have on pix firewalls and what I know from dealing with routers and switches access lists define what traffic is allowed outside of the network. With the pix access lists can only be applied one way, to the interface they are entering, not leaving. This is my understanding, but when I do an ICMP command:

PIX1(config)# access-list ethernet1 permit icmp any any echo-reply

PIX1(config)# access-list ethernet1 permit icmp any any unreachable

PIX1(config)# access-group ethernet1 in interface inside

This does not work, but if I apply the access group to the outside interface it works. I would like a better understanding of why this is the way it is.

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ehirsel
Level 6
Level 6

‎04-20-2004 08:56 AM

This works because the pix does not have session-state awareness for icmp traffic the way that it does for tcp and udp traffic.

By default, access from a higher to a lower interface is permitted, unless you have an acl applies to the higer interface - then only what the acl allows will be permitted. So you can send the icmp echo request outbound. However for the reply to be sent back in, you need to allow that explicitly in an acl that is applied on the outside interface, because the pix will not allow all outside traffic by default.

Similarly for icmp unreachables, although I would caution that being part of the config. Only allow the unreachables due to ttl expired to aid in path mtu detection, not all unreachables.

Let me know if this helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ehirsel
Level 6
Level 6

‎04-20-2004 08:56 AM

This works because the pix does not have session-state awareness for icmp traffic the way that it does for tcp and udp traffic.

By default, access from a higher to a lower interface is permitted, unless you have an acl applies to the higer interface - then only what the acl allows will be permitted. So you can send the icmp echo request outbound. However for the reply to be sent back in, you need to allow that explicitly in an acl that is applied on the outside interface, because the pix will not allow all outside traffic by default.

Similarly for icmp unreachables, although I would caution that being part of the config. Only allow the unreachables due to ttl expired to aid in path mtu detection, not all unreachables.

Let me know if this helps.

0 Helpful

Go to solution
khotaling
Level 1
Level 1
In response to ehirsel

‎04-20-2004 09:07 AM

Great. That clears it right up for me. Thank You.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card