Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Stuburn ICMP!!!!

Hello,

Im running IOS 6.1.2 and the outside interface is pingable from the outside, this is the problem. All the NATs are not pingable (which is good). I have even put an explicit deny on the access-list to disable pinging but still pinging. Can you help me???? Here is the copy of the config. I have changed ip's and names in this sample otherwise my boss will freak (dont ask)

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inet-in permit tcp any host 166.19.111.113 eq smtp

access-list inet-in deny udp any any eq 1434

access-list inet-in deny icmp any any

access-list nonat permit ip 10.9.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list inet-out deny ip host 10.9.1.121 any

access-list inet-out deny ip host 10.9.1.122 any

access-list inet-out deny ip host 10.9.1.123 any

access-list inet-out deny ip host 10.9.1.126 any

access-list inet-out deny ip host 10.9.1.153 any

access-list inet-out deny ip host 10.9.1.167 any

access-list inet-out deny ip host 10.9.1.179 any

access-list inet-out deny ip host 10.9.1.181 any

access-list inet-out permit ip any any

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

<--- More --->

ip address outside 166.19.111.114 255.255.255.0

ip address inside 10.9.1.7 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool1 192.168.1.1-192.168.1.254

pdm history enable

arp timeout 14400

global (outside) 1 166.19.111.116-166.19.111.118

global (outside) 1 166.19.111.115

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 166.19.111.113 EXCH01 netmask 255.255.255.255 0 0

access-group inet-in in interface outside

access-group inet-out in interface inside

route outside 0.0.0.0 0.0.0.0 166.19.111.1 1

route inside 10.9.0.0 255.255.0.0 10.9.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol tacacs+

url-server (inside) host WEBSENSE timeout 5 protocol TCP version 1

url-cache dst 8KB

<--- More --->

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

no snmp-server location

no snmp-server contact

snmp-server community who-cares

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set encrypt1 esp-des esp-md5-hmac

crypto dynamic-map microsoft 1 set transform-set encrypt1

crypto map vpnuser 20 ipsec-isakmp dynamic microsoft

crypto map vpnuser interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup remoteuser$ address-pool vpnpool1

vpngroup remoteuser$ dns-server server

vpngroup remoteuser$ wins-server wserver

<--- More --->

vpngroup remoteuser$ default-domain microsoft.com

vpngroup remoteuser$ split-tunnel nonat

vpngroup remoteuser$ idle-time 1800

vpngroup remoteuser$ password ********

telnet 192.168.1.0 255.255.255.0 outside

telnet 10.9.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:eff90d3dbce164b4e57b4ce0f3544571

PIX(config)#

3 REPLIES
Gold

Re: Stuburn ICMP!!!!

Hi Rudy,

Try this, take out the ACL (access-list inet-in deny icmp any any) and place this onto your config: (in config mode),

> icmp deny any outside

make sure you write to memory, also as a good security check, go to www.grc.com and try the 'shields Up' software this will check for any holes on your outside interface (this is secure and free) and will give you a report of any open ports. Let me know how you get on.

Hope this helps -

Re: Stuburn ICMP!!!!

Hi,

when you want to create an access-list for icmp traffic that is terminated at one of the interface of the pix, then you have to use the 'icmp' command. The normal 'acces-list' command does not work in this situation.

This is some info from the command reference(6.3):

icmp

Configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an interface.

[no] icmp {permit | deny} ip_address net_mask [icmp_type] if_name

clear icmp

show icmp

Syntax Description

deny

Deny access if the conditions are matched.

icmp_type

ICMP message type as described in Table 6-1.

if_name

The interface name.

ip_address

The IP address of the host sending ICMP messages to the interface.

net_mask

The mask to be applied to ip_address.

permit

Permit access if the conditions are matched.

Regards,

Tom

New Member

Re: Stuburn ICMP!!!!

You need to apply the list to the interface on the outside

NOT "access-list inet-in deny icmp any any"

This prevents icmp from any on the inside to any

You want "access-list inet-out deny icmp any any"

This prevents icmp from any on the outside to any

Remember to apply the list to the interface where the packets are coming into it.

146
Views
9
Helpful
3
Replies