If you need to use tracert, you need to open for ICMP type 11 = Time
Exceeded:
conduit permit icmp any any 11
You do not need the Echo-Reply (icmp type 0) if you only use tracert, but
you if you're using both tracert and ping, you would need either:
conduit permit icmp any any 0
conduit permit icmp any any 11
or
conduit permit icmp any any
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Steve Smith [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 11:23 AM
To: Ole Drews Jensen
Subject: RE: Question on PIX 501 [7:38246]
Hey Drew, does this mean that inside devices could trace out but no one
could trace in? I only allow ICMP to certain machines. We can ping out
but if you trace out through the PIX you get * * *. If I do a conduit
permit icmp any any then you can trace but you can also ping and trace
everything from the outside which I don't want.
Thanks!
Steve
-----Original Message-----
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 10:42 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501 [7:38246]
Hi Justin,
When you ping, you use the ICMP protocol.
When A pings B, A sends ICMP echo-request (number 8) to B, and B sends
ICMP
echo-reply (number 0) back to A.
The PIX does not allow ICMP traffic to come from the outside to the
inside,
so to change that, you will need to open up for ICMP number 0
(echo-reply).
The command for that is:
conduit permit icmp any any 0
This is a good way to do it, because then you allow outside devices to
reply
to your request, but they are not allowed to do a PING themself. If you
want
PING to work both ways, simply use this command:
conduit permit icmp any any
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Justin C [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 10:10 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501
Ole,
Thanks for the reply. I understand being busy. I normally try to solve
these things all on my own, but I just don't have the available time. I
spent six hours on it yesterday.
Justin
From: Ole Drews Jensen
To: 'Justin C'
Subject: RE: Question on PIX 501
Date: Thu, 14 Mar 2002 08:08:30 -0600
I did receive the message - I do not know why groupstudy did not.
I appologize for not getting back with you yesterday, but I am so busy
these
days, as there are many projects I have to finish.
I will see if I can find a couple of minutes to read your entire e-mail
from
yesterday, and help you out.
Try the [EMAIL PROTECTED] again.
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Justin C [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 8:14 AM
To: [EMAIL PROTECTED]
Subject: Question on PIX 501
Ole,
I apologize in advance for yet another direct message. I am just
wondering
if you did get the message regarding the Pix 501 as groupstudy has not.
I dislike having to message direct, but I am really scratching my head
over
this, so anything help you can offer would be greatly appreciated. In a
nutshell, have you worked with a 501. If so, was it plug and play or
did
you have to perform additional configurations to get it to work.
My thanks in advance for your time.
Justin Cluer
_________________________________________________________________
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38259&t=38246
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
