Re: PIX outbound list - Allowing PING outbound

Sat, 17 Jun 2000 01:00:35 -0700 

I'm mucking around with the list at the moment and haven't applied it yet. I
can't seem to add a line in the list to allow ICMP outbound - it only gives
tcp/udp as choices.

Any suggestions on the syntax to allow icmp out? The current policy is to allow
all outbound, but I want to start refining this. The suggestions so far have
been very useful.

Thanks,

Warwick

Christian Kratzer wrote:

> Hi,
>
> On Thu, 15 Jun 2000, Warwick Vele wrote:
>
> > I am testing outbound access-lists to apply to our PIX and have run into
> > a small problem.
> >
> > The test list is as follows:
> >
> >     outbound  10 deny 0.0.0.0 0.0.0.0 0 0
> >     outbound  10 except 0.0.0.0 0.0.0.0 7 tcp
> >     outbound  10 except 0.0.0.0 0.0.0.0 7 udp
> >     outbound  10 except 0.0.0.0 0.0.0.0 20 tcp
> >     outbound  10 except 0.0.0.0 0.0.0.0 21 tcp
> >     outbound  10 except 0.0.0.0 0.0.0.0 23 tcp
> >     outbound  10 except 0.0.0.0 0.0.0.0 25 tcp
> >     outbound  10 except 0.0.0.0 0.0.0.0 25 udp
> >     outbound  10 except 0.0.0.0 0.0.0.0 53 udp
> >     outbound  10 except 0.0.0.0 0.0.0.0 80 tcp
> >
> > applied with:
> >
> >     apply (inside) 10 outgoing_src
> >
> > I also have a conduit allowing icmp:
> >
> >     conduit permit icmp any any
> >
> > The intent is to deny all outbound traffic _except_ those ports stated
> > above, with a destination of "anywhere". When I apply the list it blocks
> > PING attempts from the inside to the outside. When I remove the apply
> > statement it works fine. Is there something that I am leaving out with
> > my except statements? We are using version 4.3(2).
>
> for what reason are you allowing tcp/echo and udp/echo out of your internal
> network ????
>
> Ping does not use tcp or udp. You will want to remove 7/tcp and 7/udp
> from your access-list and allow icmp.
>
> icmp is not tcp
>
> Greetings
> Christian
>
> --
> TopLink Internet Services GmbH                  [EMAIL PROTECTED]
> Christian Kratzer                               http://www.toplink.net/
> Phone:  +49 7032 2701-0
> Fax:    +49 7032 2701-19        FreeBSD spoken here!
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to