Once I turn on ip audit name XXX infor and ip audit name action with drop option, I can't ping my firewall, or devices behind it any more. That is fine. However, I created an ACL to allow these ICMPs to go through, but they get dropped regardless of ACL. ICMP packets go through only when I remove "drop" option from ip audit command.
Any suggestions? Help?
I would like to be able to ping several devices behind the firewall and not to turn of "drop" option of ip audit name XXX action and info.
Here is the config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list Ping_in permit icmp host X.X.8.210 any
The problem is that your IP audit commands "trump" the ACL that you created. In IOS, we do have the ability to add an ACL to certain sigs so they are detected from/to certain hosts and ignored from/to others. However, the PIX does not offer this level of granularity. Your best bet is going to be disabling the signatures you do not want the PIX detecting by using the following command - 'ip audit signature signature_number disable'. Or you can set the informational alarms to an action of alarm only (no real need generally to drop these packets). However, the config above is not complete so I don't know if you are running into a problem here as well. Take a look here for some info on the various 'ip audit' commands.
I have read in PIX manual that I can assign ACL to that specific signature and filter out ACL traffic before it gets to the signature. However, how do I know which signature number is used for ICMP ECHO, and ICMP Reply?
Actually, you cannot apply an ACL to the audit command. This is a feature in IOS IDS but not in PIX IDS. Your only option to streamline the signatures is to either have them turned on or off. As for indentifying the exact sigs you are hitting, you would probably need to setup a syslog server to be absolutely sure which sigs were causing the packet drop. In your case however, I would say that you are probably seeing sig ID 2000. Take a look at the following link for a complete list of all of the sigs that the PIX looks for - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1138590
Note that a lot of the ICMP sigs are "Informational" which means that you can enable the action on your "Informational" sigs (alarm) to be less than the actions on your "Attack" sigs (alarm, drop, and reset).
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...