topic Re: Pix 506E Allowing ping (ICMP) replies in Network Security

Pix 506E Allowing ping (ICMP) replies

paul.baird — Mon, 11 Mar 2019 10:53:46 GMT

Lo all,

Having trouble with a PIX 506E 6.3(5), I am trying to get ping and tracert working from clients within my network.

I have added the following lines to my pix config:

!--- Create an access list to allow pings out

access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply

access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded

access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable

access-group ping_acl in interface outside

But still no joy, any ideas would be much appreciated

Re: Pix 506E Allowing ping (ICMP) replies

Jon Marshall — Mon, 06 Aug 2007 09:47:01 GMT

Hi Paul

I'm a little unclear as to what you are trying to achieve. If you want to allow your clients to ping out why are you applying this access-list on the outside interface ?

What are the source addresses of your clients and what are the destination addresses you want to ping ?

Jon

Re: Pix 506E Allowing ping (ICMP) replies

paul.baird — Mon, 06 Aug 2007 09:55:24 GMT

Hi Jon,

I am trying to follow:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

I am trying to allow all clients on the internal network to be able to ping / tracert any public IP address.

My clients are on a 10.1.2.x/8 range

Re: Pix 506E Allowing ping (ICMP) replies

Jon Marshall — Mon, 06 Aug 2007 10:21:51 GMT

Paul

Okay makes a bit more sense i think.

I'm assuing you are Natting all your inside hosts to 217.34.x.x ?

Do you have an access-list applied to your inside interface ?

Perhaps you could send whole config of pix minus any sensitive information.

Jon

Re: Pix 506E Allowing ping (ICMP) replies

paul.baird — Mon, 06 Aug 2007 10:32:35 GMT

Hi Jon,

Very new to PIX's so this is my working config for the network that I have managed to piece together:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100full

interface ethernet1 100full

ip address outside 217.34.xxx.xxx 255.255.255.240

ip address inside 10.1.1.1 255.0.0.0

route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

global (outside) 1 interface

static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp

static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http

static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https

!--- Create an access list to allow pings out

access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply

access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded

access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable

access-list inbound permit tcp any host 217.34.xxx.xxx eq ftp

access-list inbound permit tcp any host 217.34.xxx.xxx eq http

access-list inbound permit tcp any host 217.34.xxx.xxx eq https

access-group ping_acl in interface outside

access-group inbound in interface outside

no fixup protocol ftp 21

no fixup protocol dns

!--- Enable logging

logging on

logging trap 4

logging host 10.1.1.3

telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.50.0 255.255.255.0 inside

http server enable

http 10.0.0.0 255.0.0.0 inside

pdm history enable

!--- SSH for use with Putty

aaa authentication ssh console LOCAL

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

!--- Firewall details and passwords

hostname FIREWALL

domain-name C2.local

en pass xxxxxxxxx

pass xxxxxxxxxxx

ip local pool VPN_Pool 192.168.50.1-192.168.50.254

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 101

!--- For Cisco VPN Client

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans

crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn

crypto map VPN_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup C2_xxxxxxxx address-pool VPN_Pool

vpngroup C2_xxxxxxxx idle-time 1800

vpngroup C2_xxxxxxxx password xxxxxxxxxxxx

vpngroup C2_xxxxxxxx wins-server 10.1.1.3

vpngroup C2_xxxxxxxx dns-server 10.1.1.3

vpngroup C2_xxxxxxxx default-domain c2.local

isakmp nat-traversal 20

Re: Pix 506E Allowing ping (ICMP) replies

Jon Marshall — Mon, 06 Aug 2007 11:10:03 GMT

Paul

You cannot apply two access-lists to the same interface in the same direction ie.

access-group ping_acl in interface outside

access-group inbound in interface outside

You need to combine your two access-lists ie. ping_acl and inbound into one access-list and apply this to the interface.

At the moment the only access-list applied to your outside interface is the inbound access-list which has no entries for icmp.

HTH

Jon

Re: Pix 506E Allowing ping (ICMP) replies

paul.baird — Mon, 06 Aug 2007 11:17:50 GMT

You learn something new every day:)

Thanks for that Jon works a treat, thought I was being tidy keeping them apart.

Re: Pix 506E Allowing ping (ICMP) replies

Jon Marshall — Mon, 06 Aug 2007 11:21:48 GMT

Paul

Glad to be of help and many thanks for using the rating system.

Jon