cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
275
Views
5
Helpful
1
Replies

global and icmp problem

brajesh.kumar
Level 1
Level 1

Hi There

I have a little doubt regarding global command.

If my global address is defined like this..

global (outside) 1 A.B.C.67 netmask 255.255.255.248

Are we using A.B.C.67-A.B.C.71 address for outbound connection?

If this why we are not using

global (outside) 1 A.B.C.67-A.B.C.71 netmask 255.255.255.0

One more doubt regarding icmp traffic.

In the books it is written that icmp traffic is not stateful therefore we allow it explicitly.

So pinging from DMZ(-)--> INSIDE(+) ,we have to allow returning ping traffic using access-list on Inside interface OR it is in case of allowing it if it is coming from outside world(internet) to either inside or dmz?

Thanks.

Brajesh

1 Reply 1

amatarri
Level 1
Level 1

Brajesh,

The purpose for the netmask keyword on the global command actually works when you are defining a NAT pool. This way, the pix will know what is the SubnetID and broadcast address IPs and avoids using them. When you are using a single PAT address, the netmask keyword is optional.

Regarding the icmp, by default the pix will allow any traffic from the inside to the DMZ or the outside interfaces freely, unless, you have created an access list on the inside to filter outgoing traffic. In this case, you will need to specify the ICMP traffic that you want to allow.

Since the DMZ has a lower security level (generally), you will need to allow ICMP traffic from the DMZ to the inside or the outside.

Aaron