Irene,
This depends on what your pinging. What(where)
is the client/system your trying to ping?
Your rule says any _internal_ machines are
allowed to repond(which it s/would by default.)
If your pinging an outside machine, then you need
to change your rule to allow the return packet from
that/those machines.
Does this make sense? If not, write back.
Robert
>>> Irene Cai <[EMAIL PROTECTED]> 8/21/00 3:40:20 PM >>>
>I have Internal NET ANY ANY Accept. It doesn't working. Also I set up
>another rule for Internal NET ANY ICMP (group for all ICMP related services)
>ACCEPT, still don't work.
>
>Thanks
>
>-----Original Message-----
>From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
>Sent: Monday, August 21, 2000 2:37 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: [FW1] Problem with ICMP!
>
>Irene,
>
>You need to change your rule to allow for the return
>ICMP. Your ping or traceroute goes out and when
>the reply comes back, it get's dropped. You should see
>this in your logs.
>
>If your going to do this with rules, then uncheck the
>policy properties Accept ICMP(but wait until you fix
>this isse.)
>
>Be aware, that if you take my advice above, there are
>other ICMP return codes that you're going to watch out
>for - one's you'll probably need.
>
>See http://www.phoneboy.com/fw1/faq/0066.html,
>http://www.phoneboy.com/fw1/faq/0230.html,
>
>or better yet, just go to www.phoneboy.com and look
>up ICMP.
>
>Robert
>
>- -
>Robert P. MacDonald, Network Engineer
>e-Business Infrastructure
>G o r d o n F o o d S e r v i c e
>Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>
>>>> Irene Cai <[EMAIL PROTECTED]> 8/21/00 3:03:44 PM >>>
>>
>>Hi,
>>
>> Currently I have problem to set up the ICMP protocol in my firewall
>>policy set. I set up the properties for ACCEPT ICMP under security policy
>>for "before last", then I setup another rule for NO Internal Network Any
>>ICMP-Protol Drop. However after I pushed the policy, the Internal Network
>>can't run ICMP related command, such as PING or TRACEROUTE. If I remove
>that
>>No internal network drop for the ICMP, I can run the ICMP related command,
>>unfortunately everybody in the internet can run the ICMP related command as
>>well. Any suggestion will be great appreciated!
>>
>>Thanks,
>>
>>Irene
>
>I cleared the ICMP under the security policy, and we had a rule which
>Internal Net ANY ANY ACCEPT, repushed the policy, but the internal network
>still can't run the ICMP related command.
>
>Thanks,
>
>Irene
>
>-----Original Message-----
>From: Simon Guo [mailto:[EMAIL PROTECTED]]
>Sent: Monday, August 21, 2000 2:10 PM
>To: 'Irene Cai'; [EMAIL PROTECTED]
>Subject: RE: [FW1] Problem with ICMP!
>
>
>Irene,
>
>Try this: clear the ACCEPT ICMP under the serrity policy. Modify the rule to
>InternalNetwork any ICMP(better just ping and traceroute) Accept.
>
>
>
>-----Original Message-----
>From: Irene Cai [mailto:[EMAIL PROTECTED]]
>Sent: Monday, August 21, 2000 3:04 PM
>To: [EMAIL PROTECTED]
>Subject: [FW1] Problem with ICMP!
>
>
>
>Hi,
>
> Currently I have problem to set up the ICMP protocol in my firewall
>policy set. I set up the properties for ACCEPT ICMP under security policy
>for "before last", then I setup another rule for NO Internal Network Any
>ICMP-Protol Drop. However after I pushed the policy, the Internal Network
>can't run ICMP related command, such as PING or TRACEROUTE. If I remove that
>No internal network drop for the ICMP, I can run the ICMP related command,
>unfortunately everybody in the internet can run the ICMP related command as
>well. Any suggestion will be great appreciated!
>
>Thanks,
>
>Irene
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
