Forgive me for not reading the book yet, as I've been quite busy too.... ... but, I have a question in regards to the config line you gave.
I've used the PDM so far to most of the configuration of my PIX, and it creates access-lists rather than conduits. I know from others I've talked with, that Cisco is moving from conduits to access-lists on the PIX configs... this is the question I configure to allow ICMP any(Outside) any(Inside) = Echo Reply ICMP any(Outside) any(Inside) = Time Exceeded ICMP any(Outside) any(Inside) = Unreachable Does this do the same thing as what you were saying about "conduit permit any any X"?? I think it does, but just want to make sure that I haven't opened up ICMP completely with it being initiated from the outside. Thanks! Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ole Drews Jensen Sent: Thursday, March 14, 2002 10:42 AM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] Hi Justin, When you ping, you use the ICMP protocol. When A pings B, A sends ICMP echo-request (number 8) to B, and B sends ICMP echo-reply (number 0) back to A. The PIX does not allow ICMP traffic to come from the outside to the inside, so to change that, you will need to open up for ICMP number 0 (echo-reply). The command for that is: conduit permit icmp any any 0 This is a good way to do it, because then you allow outside devices to reply to your request, but they are not allowed to do a PING themself. If you want PING to work both ways, simply use this command: conduit permit icmp any any Hth, Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: Justin C [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 Ole, Thanks for the reply. I understand being busy. I normally try to solve these things all on my own, but I just don't have the available time. I spent six hours on it yesterday. Justin From: Ole Drews Jensen To: 'Justin C' Subject: RE: Question on PIX 501 Date: Thu, 14 Mar 2002 08:08:30 -0600 I did receive the message - I do not know why groupstudy did not. I appologize for not getting back with you yesterday, but I am so busy these days, as there are many projects I have to finish. I will see if I can find a couple of minutes to read your entire e-mail from yesterday, and help you out. Try the [EMAIL PROTECTED] again. Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: Justin C [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: Question on PIX 501 Ole, I apologize in advance for yet another direct message. I am just wondering if you did get the message regarding the Pix 501 as groupstudy has not. I dislike having to message direct, but I am really scratching my head over this, so anything help you can offer would be greatly appreciated. In a nutshell, have you worked with a 501. If so, was it plug and play or did you have to perform additional configurations to get it to work. My thanks in advance for your time. Justin Cluer _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38253&t=38246 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]