12-17-2007 04:31 AM - edited 03-12-2019 05:51 PM
I have a Web/DNS server behind a PIX firewall. I cannot ping it. What access-list do I need to allow ping traffic through? Or is it even nessesary to allow pings, could that be a security risk for things such as DOS?
Solved! Go to Solution.
12-17-2007 05:03 AM
When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing
policy-map global_policy
class inspection_default
no inspect icmp
12-17-2007 04:37 AM
Hi Austin
Try this
policy-map global_policy
class inspection_default
inspect icmp
You better leave icmp enabled for connectivity test purposes. When you finish testing, disable it for avoiding possible ping flood attacks.
Regards
12-17-2007 04:45 AM
Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?
Thanks for your help!
12-17-2007 05:03 AM
When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing
policy-map global_policy
class inspection_default
no inspect icmp
12-17-2007 05:12 AM
Okay one thing I'm not sure if this makes a difference but I am using a PIX 501, and I'm not farmiliar with the policy-map... are those valid commands for a 501?
Thanks!
12-17-2007 05:41 AM
Hmm if doesnt work you can try this
icmp permit any dmz
icmp permit any inside
or fixup protocol icmp
if it doesnt work also, write ACLs as
access-list dmzrulenamehere permit icmp any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide