Re: ICMP from the outside

bill.sheldon · ‎08-06-2003

I am running a 515E firewall using S/W 6.2(1)

We are managing a network on the inside of the F/W that is 10.0.0.0/8.

On the outside we have a number of statics -

static (inside,outside) tcp 203.42.151.10 ssh 10.17.100.10 ssh netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.12 10.17.101.4 netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.11 10.17.100.11 netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.9 10.17.101.5 netmask 255.255.255.255 0 0

static (inside,outside) 203.42.151.13 10.17.101.6 netmask 255.255.255.255 0 0

We also have an acl for allowing ICMP from particular outside address ranges

access-list acl_outside permit icmp 203.36.212.96 255.255.255.240 any

access-list acl_outside permit icmp 203.36.212.64 255.255.255.240 any .

We also have a static route on the inside

route inside 10.0.0.0 255.0.0.0 10.17.103.253 1

I am using inside nat only.

Now, here's the problem.

If I do a basic ping 10.17.100.1, which is not in the allowable static list, from the outside , I do not get through. This is to be expected as I am using the outside i/f of the outside router as a source address - 203.42.151.14 and the acl on the outside pIX i/f stops it.

However, If I use an allowable src address via an extended pin 203.36.212.65. it succeeds. I can see ICMP traces thorugh the f/w, but no xlates.

Why does this happen?

As a hole has been drilled through the firewall, and no stateful connection is used, has the inside network been compromised ?

jins · ‎08-11-2003

As there is no static NAT for the IP 10.17.100.1, one of the possibility could be the NAT 0, since there is a route on the PIX for that subnet. Pl. check if you have NAT 0 configured on the PIX for the subnet containing IP 10.17.100.1. But I don't think this is an issue.

Thanks

brett.harper · ‎08-13-2003

Read this:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb0b3.html