https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145493#M614622 <P>Does anyone knows what would happen if a forged ICMP echo reply packet coming from the Internet to a inside host hit the outside interface of the Pix?.</P><P></P><P>The inside host is static translated on the pix. And an ACL which permits ICMP echo-reply, time-exceeded, source-quench and unreachble to the inside host is configured.</P><P> </P><P>What the Pix will do?</P><P></P><P>Regards,</P><P>Carlos Roque</P><P> </P> Fri, 21 Feb 2020 06:40:29 GMT minoc 2020-02-21T06:40:29Z https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145493#M614622 <P>Does anyone knows what would happen if a forged ICMP echo reply packet coming from the Internet to a inside host hit the outside interface of the Pix?.</P><P></P><P>The inside host is static translated on the pix. And an ACL which permits ICMP echo-reply, time-exceeded, source-quench and unreachble to the inside host is configured.</P><P> </P><P>What the Pix will do?</P><P></P><P>Regards,</P><P>Carlos Roque</P><P> </P> Fri, 21 Feb 2020 06:40:29 GMT https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145493#M614622 minoc 2020-02-21T06:40:29Z https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145494#M614623 <HTML><HEAD></HEAD><BODY><P>The PIX doesn't do stateful inspection of ICMP packets as far as I'm aware, so if an echo-reply came in, even without an echo having first gone out, I would say the packet will be allowed in to the internal host.</P></BODY></HTML> Tue, 08 Apr 2003 23:52:33 GMT https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145494#M614623 gfullage 2003-04-08T23:52:33Z https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145495#M614624 <HTML><HEAD></HEAD><BODY><P>Ok, you are right the pix does not perform stateful inspection on ICMP packets, but since there was not connection originated from the inside interface it should block the ICMP reply packet once it hits the outside interface.</P><P></P><P>Regrads,</P><P></P><P>Carlos Roque</P><P></P></BODY></HTML> Tue, 22 Apr 2003 17:43:02 GMT https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145495#M614624 minoc 2003-04-22T17:43:02Z https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145496#M614625 <HTML><HEAD></HEAD><BODY><P>For the icmp packets to cross the PIX it needs a translation rule and an access list rule to permit it. In your example, the translation rule is there with the static and you have specified the acl to allow the echo-reply in. My money would be on that the packet would be allowed in.</P><P>Hope it helps.</P><P></P><P>Steve</P><P></P></BODY></HTML> Wed, 23 Apr 2003 11:36:05 GMT https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145496#M614625 steve.barlow 2003-04-23T11:36:05Z https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145497#M614626 <HTML><HEAD></HEAD><BODY><P>Right,</P><P></P><P>But how come the Pix will allow this if there was not an ICMP echo connection originated from the internal host ?.</P><P></P><P>If you are correct, then the Pix is not performing its job in securing the inside segment. I am pretty sure Checkpoint Firewall-1 will not allow this to go trough it.</P><P></P><P>Anyone could hijack resources located either on a DMZ or inside LAN.</P><P></P><P>Regards,</P><P></P><P>Carlos Roque</P><P></P></BODY></HTML> Thu, 24 Apr 2003 15:45:35 GMT https://community.cisco.com/t5/network-security/icmp-trough-pix/m-p/145497#M614626 minoc 2003-04-24T15:45:35Z