Re: ICMP trough Pix

minoc · ‎04-08-2003

Does anyone knows what would happen if a forged ICMP echo reply packet coming from the Internet to a inside host hit the outside interface of the Pix?.

The inside host is static translated on the pix. And an ACL which permits ICMP echo-reply, time-exceeded, source-quench and unreachble to the inside host is configured.

What the Pix will do?

Regards,

Carlos Roque

gfullage · ‎04-08-2003

The PIX doesn't do stateful inspection of ICMP packets as far as I'm aware, so if an echo-reply came in, even without an echo having first gone out, I would say the packet will be allowed in to the internal host.

minoc · ‎04-22-2003

Ok, you are right the pix does not perform stateful inspection on ICMP packets, but since there was not connection originated from the inside interface it should block the ICMP reply packet once it hits the outside interface.

Regrads,

Carlos Roque

steve.barlow · ‎04-23-2003

For the icmp packets to cross the PIX it needs a translation rule and an access list rule to permit it. In your example, the translation rule is there with the static and you have specified the acl to allow the echo-reply in. My money would be on that the packet would be allowed in.

Hope it helps.

Steve

minoc · ‎04-24-2003

Right,

But how come the Pix will allow this if there was not an ICMP echo connection originated from the internal host ?.

If you are correct, then the Pix is not performing its job in securing the inside segment. I am pretty sure Checkpoint Firewall-1 will not allow this to go trough it.

Anyone could hijack resources located either on a DMZ or inside LAN.

Regards,

Carlos Roque