Hi David,
The static command only sets up the address mapping, to which the conduit
statements are applied. The static statement by itself does not permit ICMP.
Well it doesn't in the version I think you're using, based on the syntax of
the conduit commands you've posted. If you're using version 4.1.x, upgrade
& the behavior will be corrected. ICMP will only be permitted if
explicitly stated.
In old versions of the PIX, (v 4.1.5 and lower), ICMP echo & echo replies
were permitted by default to a defined static. Versions since that should
not.
I would recommend opening a case with the Cisco TAC for further
troubleshooting.
Thanks much,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
At 05:18 PM 1/18/2000 +0000, David Calder wrote:
>The company I work for is using a PIX firewall as its first line of
>defence. The only conduits within the PIX configuration are to allow
>traffic to port 80 and port 443 destined for our DMZ. This should mean
>anything else is disallowed.
>
>However, we have found that echo requests FROM any host residing on the
>network connected to the PIX external interface TO a particular webserver
>on our DMZ are allowed to pass through the PIX. Echo requests TO any other
>host on the DMZ are dropped and echo requests FROM any hosts that are not
>on the network connected directly to the PIX external interface TO the
>webserver are dropped.
>
>Have I misunderstood the static command or is this a bug??
>
>Below is the applicable data from my config file (sanitized):
>
>static (inside,outside) 195.X.Y.71 195.X.Y.71 netmask 255.255.255.255 0 0
>conduit permit tcp 195.X.Y.64 255.255.255.192 eq 443 any
>conduit permit tcp 195.X.Y.64 255.255.255.192 eq www any
>
>195.X.Y.71 is the webserver that echo requests are being allowed to.
>The Class C address range 195.X.Y.Z is used for the internal network and
>external networks with a subnet mask of 255.255.255.240.
>
>Sorry if that is as clear as mud! I think the problem is the static line
>but can anyone explain?
>
>Thanks
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
