David,
According to my PIX documentation, the static command does not grant any access
on it's own. You need a conduit or outbound for that. Either your PIX is
displaying 'undocumented behavior' or you have missed something. If there are no
"conduit permit ICMP" commands, look for any "conduit permit IP ... eq 0"
commands that might be doing it. (IP type 0 means "Any IP protocol" ).
Hope this helps,
Jim Eckford
David Calder wrote:
> The company I work for is using a PIX firewall as its first line of defence.
> The only conduits within the PIX configuration are to allow traffic to port
> 80 and port 443 destined for our DMZ. This should mean anything else is
> disallowed.
>
> However, we have found that echo requests FROM any host residing on the
> network connected to the PIX external interface TO a particular webserver on
> our DMZ are allowed to pass through the PIX. Echo requests TO any other host
> on the DMZ are dropped and echo requests FROM any hosts that are not on the
> network connected directly to the PIX external interface TO the webserver
> are dropped.
>
> Have I misunderstood the static command or is this a bug??
>
> Below is the applicable data from my config file (sanitized):
>
> static (inside,outside) 195.X.Y.71 195.X.Y.71 netmask 255.255.255.255 0 0
> conduit permit tcp 195.X.Y.64 255.255.255.192 eq 443 any
> conduit permit tcp 195.X.Y.64 255.255.255.192 eq www any
>
> 195.X.Y.71 is the webserver that echo requests are being allowed to.
> The Class C address range 195.X.Y.Z is used for the internal network and
> external networks with a subnet mask of 255.255.255.240.
>
> Sorry if that is as clear as mud! I think the problem is the static line but
> can anyone explain?
>
> Thanks
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
