Hi, To really understand this stuff. There are only two ways by which a traffice can pass from a lower security interface to a higer security interface. 1. Use the conduit or access-list command. 2. As a reply to an initial session.
For the traffic to be allow in (reply to a session initiated from an inside interface, option 2 above) the ASA compares the traffic's source/destination IP address and Port numbers and other parameters to what is in its state table. All four paraments must be complete for the traffic to be allowed back into the inside interface by that only can the PIX know that the current traffic session was indeed a reply to an outbound traffic. For protocols that behave some what differently, the PIX have the various Fixup Protocol commands to make adjustments for them the PIX ASA. In the case of the ping, among the different types of ICMP messages, the PIX firewall conduit command allow the filtering of 18 ICMP messages. The Ping is echo and it is ICMP code 8, why the reply is echo-reply ICMP code 0. When you intiate a ping from a higher security interface to a lower one, the ASA allows the echo (ICMP type 8) access out, the host reply with echo-reply (ICMP type 0), which was different from the ICMP type 8 that was sent out. Naturally the PIX ASA will drop that packet and send 'Host Unreachable' message to you. To receive your echo-reply you need to create an exception in the ASA by using the conduit or access-list command. My 0.02 cents Regards. Oletu ----- Original Message ----- From: chenyan To: Godswill HO Sent: Saturday, January 26, 2002 8:38 PM Subject: Re: help me with the pix problem! [7:33287] > hi,thanks your help. > As you said, if the ping need the reply by the access-list, then the nat command for the traffic to the outside need also the reply, but it seems that there is not the command for the reply. > > regards. > > ----- Original Message ----- > From: Godswill HO > To: cage ; > Sent: Sunday, January 27, 2002 2:52 PM > Subject: Re: help me with the pix problem! [7:33287] > > > > Hi, > > The command: > > PIX#conduit permit icmp any any > > might just be your life saver. Do not forget that though by default traffics > > are permitted from any inside interface to an outside interface, you have to > > creat an except for the echo-reply packet from the outside interface to the > > inside interface. > > > > Regards. > > Oletu > > > > ----- Original Message ----- > > From: cage > > To: > > Sent: Saturday, January 26, 2002 11:26 AM > > Subject: help me with the pix problem! [7:33287] > > > > > > > hi,everybody. > > > My envirment is: > > > the outside interface of pix 525 is connected to the fibre-ethernet > > > transceiver ,no router availble, and the dmz interface of the pix is > > > connected to several severs like www,dns,etc. The inside interface is > > > connected to the lan, no proxy availble. > > > When I finished my configure, I met some problem: > > > 1 The dmz servers traffic can not be out. And at the same time,they can > > not > > > ping the outside interface address correctly. > > > 2 the inside lan nodes can not ping the dmz interface address,but can ping > > > other server in the dmz correctly. > > > > > > I know I should use the nat commands to bring the traffic of dmz to the > > > outside, but since the outside address provided by the isp are private > > ones, > > > so I have to use NAT (dmz) 0, but why the dmz traffic can not be out? > > > I hope the design is not wrong. > > > > > > the following is my config,help me,please. > > > > > > sh conf > > > : Saved > > > : > > > PIX Version 6.0(1) > > > nameif ethernet0 outside security0 > > > nameif ethernet1 inside security100 > > > nameif ethernet2 dmz security50 > > > nameif ethernet3 intf3 security15 > > > nameif ethernet4 intf4 security20 > > > enable password 8Ry2YjIyt7RRXU24 encrypted > > > passwd 2KFQnbNIdI.2KYOU encrypted > > > hostname pixfirewall > > > fixup protocol ftp 21 > > > fixup protocol http 80 > > > fixup protocol h323 1720 > > > fixup protocol rsh 514 > > > fixup protocol smtp 25 > > > fixup protocol sqlnet 1521 > > > fixup protocol sip 5060 > > > fixup protocol skinny 2000 > > > names > > > access-list acl_in permit tcp any host 202.99.33.69 eq smtp > > > access-list acl_in permit tcp any host 202.99.33.72 eq www > > > access-list acl_in permit tcp any host 202.99.33.66 eq domain > > > access-list acl_in permit tcp any host 202.99.33.67 eq domain > > > access-list acl_in permit icmp any any > > > access-list ping_acl permit icmp any any > > > pager lines 30 > > > interface ethernet0 auto > > > interface ethernet1 auto > > > interface ethernet2 auto > > > > > > > > > interface ethernet3 auto shutdown > > > interface ethernet4 auto shutdown > > > mtu outside 1500 > > > mtu inside 1500 > > > mtu dmz 1500 > > > mtu intf3 1500 > > > mtu intf4 1500 > > > ip address outside 210.82.34.29 255.255.255.0 > > > ip address inside 192.168.4.1 255.255.255.0 > > > ip address dmz 202.99.33.254 255.255.255.0 > > > ip address intf3 127.0.0.1 255.255.255.255 > > > ip address intf4 127.0.0.1 255.255.255.255 > > > ip audit info action alarm > > > ip audit attack action alarm > > > no failover > > > failover timeout 0:00:00 > > > failover poll 15 > > > failover ip address outside 0.0.0.0 > > > failover ip address inside 0.0.0.0 > > > failover ip address dmz 0.0.0.0 > > > failover ip address intf3 0.0.0.0 > > > failover ip address intf4 0.0.0.0 > > > pdm history enable > > > arp timeout 14400 > > > global (dmz) 1 202.99.33.73 netmask 255.255.255.0 > > > nat (inside) 1 192.168.4.250 255.255.255.255 0 0 > > > nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 > > > static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0 > > > static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0 > > > static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0 > > > > > > > > > static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0 > > > access-group acl_in in interface outside > > > access-group ping_acl in interface dmz > > > access-group ping_acl in interface inside > > > route outside 0.0.0.0 0.0.0.0 210.82.34.25 1 > > > timeout xlate 3:00:00 > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > > > 0:05:00 sip 0:30:00 sip_media 0:02:00 > > > timeout uauth 0:05:00 absolute > > > aaa-server TACACS+ protocol tacacs+ > > > aaa-server RADIUS protocol radius > > > no snmp-server location > > > no snmp-server contact > > > snmp-server community public > > > no snmp-server enable traps > > > floodguard enable > > > no sysopt route dnat > > > telnet timeout 5 > > > ssh timeout 5 > > > terminal width 80 > > > Cryptochecksum:3be86ece2c90058e0c9190f986717d63 > > > > > > pixfirewall# > > _________________________________________________________ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33369&t=33287 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
