05-02-2003 11:06 AM - edited 03-09-2019 03:08 AM
Hello,
Im running IOS 6.1.2 and the outside interface is pingable from the outside, this is the problem. All the NATs are not pingable (which is good). I have even put an explicit deny on the access-list to disable pinging but still pinging. Can you help me???? Here is the copy of the config. I have changed ip's and names in this sample otherwise my boss will freak (dont ask)
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inet-in permit tcp any host 166.19.111.113 eq smtp
access-list inet-in deny udp any any eq 1434
access-list inet-in deny icmp any any
access-list nonat permit ip 10.9.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list inet-out deny ip host 10.9.1.121 any
access-list inet-out deny ip host 10.9.1.122 any
access-list inet-out deny ip host 10.9.1.123 any
access-list inet-out deny ip host 10.9.1.126 any
access-list inet-out deny ip host 10.9.1.153 any
access-list inet-out deny ip host 10.9.1.167 any
access-list inet-out deny ip host 10.9.1.179 any
access-list inet-out deny ip host 10.9.1.181 any
access-list inet-out permit ip any any
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
<--- More --->
ip address outside 166.19.111.114 255.255.255.0
ip address inside 10.9.1.7 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 192.168.1.1-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 166.19.111.116-166.19.111.118
global (outside) 1 166.19.111.115
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 166.19.111.113 EXCH01 netmask 255.255.255.255 0 0
access-group inet-in in interface outside
access-group inet-out in interface inside
route outside 0.0.0.0 0.0.0.0 166.19.111.1 1
route inside 10.9.0.0 255.255.0.0 10.9.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
url-server (inside) host WEBSENSE timeout 5 protocol TCP version 1
url-cache dst 8KB
<--- More --->
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
no snmp-server location
no snmp-server contact
snmp-server community who-cares
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set encrypt1 esp-des esp-md5-hmac
crypto dynamic-map microsoft 1 set transform-set encrypt1
crypto map vpnuser 20 ipsec-isakmp dynamic microsoft
crypto map vpnuser interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remoteuser$ address-pool vpnpool1
vpngroup remoteuser$ dns-server server
vpngroup remoteuser$ wins-server wserver
<--- More --->
vpngroup remoteuser$ default-domain microsoft.com
vpngroup remoteuser$ split-tunnel nonat
vpngroup remoteuser$ idle-time 1800
vpngroup remoteuser$ password ********
telnet 192.168.1.0 255.255.255.0 outside
telnet 10.9.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:eff90d3dbce164b4e57b4ce0f3544571
PIX(config)#
05-03-2003 02:48 AM
Hi Rudy,
Try this, take out the ACL (access-list inet-in deny icmp any any) and place this onto your config: (in config mode),
> icmp deny any outside
make sure you write to memory, also as a good security check, go to www.grc.com and try the 'shields Up' software this will check for any holes on your outside interface (this is secure and free) and will give you a report of any open ports. Let me know how you get on.
Hope this helps -
05-03-2003 07:39 AM
Hi,
when you want to create an access-list for icmp traffic that is terminated at one of the interface of the pix, then you have to use the 'icmp' command. The normal 'acces-list' command does not work in this situation.
This is some info from the command reference(6.3):
icmp
Configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an interface.
[no] icmp {permit | deny} ip_address net_mask [icmp_type] if_name
clear icmp
show icmp
Syntax Description
deny
Deny access if the conditions are matched.
icmp_type
ICMP message type as described in Table 6-1.
if_name
The interface name.
ip_address
The IP address of the host sending ICMP messages to the interface.
net_mask
The mask to be applied to ip_address.
permit
Permit access if the conditions are matched.
Regards,
Tom
05-05-2003 03:20 PM
You need to apply the list to the interface on the outside
NOT "access-list inet-in deny icmp any any"
This prevents icmp from any on the inside to any
You want "access-list inet-out deny icmp any any"
This prevents icmp from any on the outside to any
Remember to apply the list to the interface where the packets are coming into it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide