Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with using Cisco Configuration Assistant 1.5

I configured the firewall feature of a CS871W router using Cisco Configuration Assistant v1.5. All stations inside the firewall worked well but I can't seems to ping and telnet the WAN port from another workstation over the internet the moment I set the firewall to low/medium or high. I can ping and telnet when the router is configured without the firewalling feature.

Please see attached sample router configuration and I appreciate any advice on resolving the PING and Telnet but not compromising security.

  • Other Security Subjects
1 REPLY
Bronze

Re: Problem with using Cisco Configuration Assistant 1.5

The PIX does not dynamically allow the return packets from pings/traceroutes. For inside users to be able to ping external hosts, you need to permit Internet Control Message Protocol (ICMP) echo reply packets back through the PIX. The PIX does not dynamically open up access for the ICMP reply packets.

The solution is to apply an access-list to the outside interface permitting echo reply packets back in.

For example:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages

105
Views
0
Helpful
1
Replies
This widget could not be displayed.