Internal Users ping through a PIX [7:52962]
Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52962&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
Are you applying it to the incoming traffic or outbound traffic? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, September 09, 2002 5:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52965&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
What is on your internal interface access-list wise ? Do you have an access-list 101 permit icmp any any echo ? You must permit the ICMP echo through the inside, and the echo-reply through the outside... Thanks Larry -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, September 09, 2002 7:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52966&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
The access-list is correct. There is something else that is going on. Use "debug icmp trace" to troubleshoot... How do you test this access-list? What are you trying to ping? -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Elijah Savage III Sent: Monday, September 09, 2002 7:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52968&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
You need to use the following global command to enable icmp: icmp permit/deny ... Here's the link for command reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid33 Thanks...Nabil "I have never let my schooling interfere with my education." Lidiya White cc: Sent by: Subject: RE: Internal Users ping through a PIX [7:52962] nobody@groupstudy .com 09/09/2002 11:31 PM Please respond to Lidiya White The access-list is correct. There is something else that is going on. Use "debug icmp trace" to troubleshoot... How do you test this access-list? What are you trying to ping? -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Elijah Savage III Sent: Monday, September 09, 2002 7:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52988&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
"icmp" command on the PIX allows/denies pinging interfaces of the PIX itself. It has nothing to do with pining through the PIX... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 10, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: RE: Internal Users ping through a PIX [7:52962] You need to use the following global command to enable icmp: icmp permit/deny ... Here's the link for command reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/comm ands.htm#xtocid33 Thanks...Nabil "I have never let my schooling interfere with my education." Lidiya White cc: Sent by: Subject: RE: Internal Users ping through a PIX [7:52962] nobody@groupstudy .com 09/09/2002 11:31 PM Please respond to Lidiya White The access-list is correct. There is something else that is going on. Use "debug icmp trace" to troubleshoot... How do you test this access-list? What are you trying to ping? -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Elijah Savage III Sent: Monday, September 09, 2002 7:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52993&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internal Users ping through a PIX [7:52962]
I think that it may be more secure to just allow echo-reply back to the internal hosts. You can do this with the access-list that is on the outside interface. Assuming that you want to allow echo-reply back to users who are hidden behind a PAT address (or the hide address in checkpoint parlance) add the following line to your external access-list. access-list From-Internet permit icmp any host 1.1.1.1 echo-reply Change 1.1.1.1 to whatever your PAT address is. This also assume that you don't have any access-list on the inside interface, if you do, modify that to allow outbound echo-request. Hope this helps, C -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 10/09/02 15:30 Subject: RE: Internal Users ping through a PIX [7:52962] You need to use the following global command to enable icmp: icmp permit/deny ... Here's the link for command reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/ commands.htm#xtocid33 Thanks...Nabil "I have never let my schooling interfere with my education." Lidiya White cc: Sent by: Subject: RE: Internal Users ping through a PIX [7:52962] nobody@groupstudy .com 09/09/2002 11:31 PM Please respond to Lidiya White The access-list is correct. There is something else that is going on. Use "debug icmp trace" to troubleshoot... How do you test this access-list? What are you trying to ping? -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Elijah Savage III Sent: Monday, September 09, 2002 7:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53006&t=52962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
