Forgive me for not reading the book yet, as I've been quite busy too....
... but, I have a question in regards to the config line you gave.
I've used the PDM so far to most of the configuration of my PIX, and it
creates access-lists rather than conduits. I know from others I've talked
with, that Cisco is moving from conduits to access-lists on the PIX
configs... this is the question
I configure to allow ICMP any(Outside) any(Inside) = Echo Reply
ICMP any(Outside) any(Inside) = Time Exceeded
ICMP any(Outside) any(Inside) = Unreachable
Does this do the same thing as what you were saying about "conduit permit
any any X"??
I think it does, but just want to make sure that I haven't opened up ICMP
completely with it being initiated from the outside.
Thanks!
Mark
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ole Drews Jensen
Sent: Thursday, March 14, 2002 10:42 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501 [7:38246]
Hi Justin,
When you ping, you use the ICMP protocol.
When A pings B, A sends ICMP echo-request (number 8) to B, and B sends ICMP
echo-reply (number 0) back to A.
The PIX does not allow ICMP traffic to come from the outside to the inside,
so to change that, you will need to open up for ICMP number 0 (echo-reply).
The command for that is:
conduit permit icmp any any 0
This is a good way to do it, because then you allow outside devices to reply
to your request, but they are not allowed to do a PING themself. If you want
PING to work both ways, simply use this command:
conduit permit icmp any any
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Justin C [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 10:10 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501
Ole,
Thanks for the reply. I understand being busy. I normally try to solve
these things all on my own, but I just don't have the available time. I
spent six hours on it yesterday.
Justin
From: Ole Drews Jensen
To: 'Justin C'
Subject: RE: Question on PIX 501
Date: Thu, 14 Mar 2002 08:08:30 -0600
I did receive the message - I do not know why groupstudy did not.
I appologize for not getting back with you yesterday, but I am so busy these
days, as there are many projects I have to finish.
I will see if I can find a couple of minutes to read your entire e-mail from
yesterday, and help you out.
Try the [EMAIL PROTECTED] again.
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Justin C [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 8:14 AM
To: [EMAIL PROTECTED]
Subject: Question on PIX 501
Ole,
I apologize in advance for yet another direct message. I am just wondering
if you did get the message regarding the Pix 501 as groupstudy has not.
I dislike having to message direct, but I am really scratching my head over
this, so anything help you can offer would be greatly appreciated. In a
nutshell, have you worked with a 501. If so, was it plug and play or did
you have to perform additional configurations to get it to work.
My thanks in advance for your time.
Justin Cluer
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38253&t=38246
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
