11-04-2004 05:17 PM - edited 03-09-2019 09:21 AM
Hi,
I have a PIX 515E with 1 outside 1 inside & 1 DMZ
and I want to:
Ping from the inside to the outside & dmz;
Ping from the dmz to outside;
Receive the replies;
Do not allow others to ping my DMZ & Inside;
or for my DMZ & Inside reply to their requests;
I want to see all error messages;
I want to path MTU discovery to work for me;
I want to be able to traceroute;
I do not want any other ICMP crossing from my inside/dmz to the outside, coming or going.
How can I do this?
TIA
Armando
11-05-2004 11:36 AM
You can use the icmp^command or access-list, of course access-lists are more flexible but for some cases it just works with the icmp command.
See:
Source:
The PIX and the traceroute Command
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
Handling ICMP Pings with the PIX Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
example:
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any echo-reply dmz
icmp permit any echo-reply inside
icmp permit any information-reply outside
icmp permit any information-reply dmz
icmp permit any information-reply inside
icmp permit InsideNet InsideNetmask echo inside
icmp permit DMZNetwork DNZNetmask echo dmz
I have not seen what MTU discovery uses ???
See Command Reference:
sincerely
Patrick
11-05-2004 03:15 PM
Thank you Patrick
I will use your post and I'll try adding:
icmp permit any unreachable outside
For MTU discover I believe is Type 3 Code 4 as on http://www.iana.org/assignments/icmp-parameters
I dont know if my VPN Contivity will like this but I'll try.
My config is:
Internet
|
|
router
|
|
pix---dmz---VPNcontivity
|.........................|
|.........................|
inside--------------
static (dmz,outside) VPN-Public VPN-DMZ netmask 255.255.255.255 0 0 norandomseq
Sincerely,
Armando
11-05-2004 06:50 PM
Hi guys:
I just want to add to Patrick's post about how PIX handles ICMP. Don't forget that access-list (or the classic conduit) statements are used to permit/deny ICM P traffic going THROUGH the PIXes. ICMP command on the other hand handles ICMP traffic that terminate AT THE PIX INTERFACES.
For more information on the SYNTAX of these two commands, please check the PIX command reference below:
Thanks,
Binh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide