subject:"RE\: Firewall \[7\:55547\]"

Re: Firewall [7:55547]

2002-10-14 Thread Robert Edmonds


Naomi,
Try adding the following lines to your config
access-list acl_outside permit icmp any any echo-reply (hitcnt=7515)
access-list acl_outside permit icmp any any time-exceeded (hitcnt=911)
access-list acl_outside permit icmp any any unreachable (hitcnt=34292)

As far as pinging from outside to inside, though, you don't want to do that.
And if you are using private addresses on your inside network, you won't be
able to ping them from the Internet anyway.  Good luck.

Robert Edmonds
""Naomi James""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have a PIX 525. I am trying bring it up on my network.  It is installed
> virtually betrween my router and my ISP's router.  While testing, I
noticed
> that from an inside host, I could ping my inside interface on the PIX, but
> not the outside interface.  From the ISP, they could ping my outside
> interface but not my inside interface.  From the PIX I can ping  my
outside
> interface and beyond.
> Any suggestions?
>
> Naomi James
> Computer Services and Information Technology
> Savannah State University
> 912-356-2509
>
> [GroupStudy.com removed an attachment of type image/gif which had a name
of
> Mabelt.gif]
>
> [GroupStudy.com removed an attachment of type image/gif which had a name
of
> Mabelb.gif]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=0&t=55547
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Firewall [7:55547]

2002-10-14 Thread Carroll Kong


You have not mentioned any issues though.  So I will guess you are somehow
unhappy with the default Pix behavior.  Did you want to deny all icmp
requests?  By default, after a certain rev of Pix code, icmp allows
are on by default.

icmp deny any outside
icmp deny any inside

Once you place these rules, it will have a 'default deny' afterwards, so if
you do

icmp permit host 1.2.3.4 inside

then... all hosts on the inside except for 1.2.3.4 can ping it.

As for allowing people to ping "through" the pix, not sure if a static or
anything like that would work (along with an acl).  Doesn't seem to make
much sense to allow an outsider to ping the inside of a pix anyway.

Typically, the theory behind the pix (at least in it's latest incarnation)
is that acls generally only apply to traffic traversing THROUGH the pix, not
terminating at the pix or any of it's interfaces.

For that, you need to find the magic "fudge" command, and in this case, the
"icmp" commands are the fudge that determine if icmp will be permitted on
the pix's inside or outside addresses.

This is all well documented under this URL, assuming code rev 6.2 (you can
just go up a tree to find the other revs)

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm

> I have a PIX 525. I am trying bring it up on my network.  It is installed
> virtually betrween my router and my ISP's router.  While testing, I noticed
> that from an inside host, I could ping my inside interface on the PIX, but
> not the outside interface.  From the ISP, they could ping my outside
> interface but not my inside interface.  From the PIX I can ping  my outside
> interface and beyond.
> Any suggestions?
>  
> Naomi James
> Computer Services and Information Technology
> Savannah State University
> 912-356-2509


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6&t=55547
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Firewall [7:55547]

2002-10-14 Thread Lidiya White


That is the normal behavior of the PIX. You'll not be able to change it...
If you want to test the connectivity through the PIX, do not ping the
outside interface of the PIX from the inside, but ping the default gateway
of the PIX.

-- Lidiya White


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Naomi James
Sent: Monday, October 14, 2002 8:19 AM
To: [EMAIL PROTECTED]
Subject: Firewall [7:55547]


I have a PIX 525. I am trying bring it up on my network.  It is installed
virtually betrween my router and my ISP's router.  While testing, I noticed
that from an inside host, I could ping my inside interface on the PIX, but
not the outside interface.  From the ISP, they could ping my outside
interface but not my inside interface.  From the PIX I can ping  my outside
interface and beyond.
Any suggestions?

Naomi James
Computer Services and Information Technology
Savannah State University
912-356-2509

[GroupStudy.com removed an attachment of type image/gif which had a name of
Mabelt.gif]

[GroupStudy.com removed an attachment of type image/gif which had a name of
Mabelb.gif]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55580&t=55547
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Firewall [7:55547]

2002-10-14 Thread Theodore Stout


This is correct.

And while you are at it, why not just eliminate pings to the interface 
once the PIX goes into production for increased security?

Just makes it a little little bit harder for the Kiddies.

Theo






"Lidiya White" 
Sent by: [EMAIL PROTECTED]
10/15/2002 03:44 AM
Please respond to "Lidiya White"

 
To: [EMAIL PROTECTED]
cc: 
    Subject:    RE: Firewall [7:55547]


That is the normal behavior of the PIX. You'll not be able to change it...
If you want to test the connectivity through the PIX, do not ping the
outside interface of the PIX from the inside, but ping the default gateway
of the PIX.

-- Lidiya White


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Naomi James
Sent: Monday, October 14, 2002 8:19 AM
To: [EMAIL PROTECTED]
Subject: Firewall [7:55547]


I have a PIX 525. I am trying bring it up on my network.  It is installed
virtually betrween my router and my ISP's router.  While testing, I 
noticed
that from an inside host, I could ping my inside interface on the PIX, but
not the outside interface.  From the ISP, they could ping my outside
interface but not my inside interface.  From the PIX I can ping  my 
outside
interface and beyond.
Any suggestions?

Naomi James
Computer Services and Information Technology
Savannah State University
912-356-2509

[GroupStudy.com removed an attachment of type image/gif which had a name 
of
Mabelt.gif]

[GroupStudy.com removed an attachment of type image/gif which had a name 
of
Mabelb.gif]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55595&t=55547
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Firewall [7:55547]

Re: Firewall [7:55547]

RE: Firewall [7:55547]

RE: Firewall [7:55547]

4 matches

Site Navigation

Mail list logo

Footer information