Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 501 ICMP Access List Question

According to the book I have on pix firewalls and what I know from dealing with routers and switches access lists define what traffic is allowed outside of the network. With the pix access lists can only be applied one way, to the interface they are entering, not leaving. This is my understanding, but when I do an ICMP command:

PIX1(config)# access-list ethernet1 permit icmp any any echo-reply

PIX1(config)# access-list ethernet1 permit icmp any any unreachable

PIX1(config)# access-group ethernet1 in interface inside

This does not work, but if I apply the access group to the outside interface it works. I would like a better understanding of why this is the way it is.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Pix 501 ICMP Access List Question

This works because the pix does not have session-state awareness for icmp traffic the way that it does for tcp and udp traffic.

By default, access from a higher to a lower interface is permitted, unless you have an acl applies to the higer interface - then only what the acl allows will be permitted. So you can send the icmp echo request outbound. However for the reply to be sent back in, you need to allow that explicitly in an acl that is applied on the outside interface, because the pix will not allow all outside traffic by default.

Similarly for icmp unreachables, although I would caution that being part of the config. Only allow the unreachables due to ttl expired to aid in path mtu detection, not all unreachables.

Let me know if this helps.

2 REPLIES
Silver

Re: Pix 501 ICMP Access List Question

This works because the pix does not have session-state awareness for icmp traffic the way that it does for tcp and udp traffic.

By default, access from a higher to a lower interface is permitted, unless you have an acl applies to the higer interface - then only what the acl allows will be permitted. So you can send the icmp echo request outbound. However for the reply to be sent back in, you need to allow that explicitly in an acl that is applied on the outside interface, because the pix will not allow all outside traffic by default.

Similarly for icmp unreachables, although I would caution that being part of the config. Only allow the unreachables due to ttl expired to aid in path mtu detection, not all unreachables.

Let me know if this helps.

New Member

Re: Pix 501 ICMP Access List Question

Great. That clears it right up for me. Thank You.

88
Views
0
Helpful
2
Replies