Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
5
Helpful
3
Replies

ICMP Question on PIX515E

armandoferreira
Level 1
Level 1

‎11-04-2004 05:17 PM - edited ‎03-09-2019 09:21 AM

Hi,

I have a PIX 515E with 1 outside 1 inside & 1 DMZ

and I want to:

Ping from the inside to the outside & dmz;

Ping from the dmz to outside;

Receive the replies;

Do not allow others to ping my DMZ & Inside;

or for my DMZ & Inside reply to their requests;

I want to see all error messages;

I want to path MTU discovery to work for me;

I want to be able to traceroute;

I do not want any other ICMP crossing from my inside/dmz to the outside, coming or going.

How can I do this?

TIA

Armando

Labels:
0 Helpful
3 Replies 3

Patrick Iseli
Level 7
Level 7

‎11-05-2004 11:36 AM

You can use the icmp^command or access-list, of course access-lists are more flexible but for some cases it just works with the icmp command.

See:

Source:

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

example:

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply dmz

icmp permit any echo-reply inside

icmp permit any information-reply outside

icmp permit any information-reply dmz

icmp permit any information-reply inside

icmp permit InsideNet InsideNetmask echo inside

icmp permit DMZNetwork DNZNetmask echo dmz

I have not seen what MTU discovery uses ???

See Command Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1026574

sincerely

Patrick

0 Helpful

armandoferreira
Level 1
Level 1
In response to Patrick Iseli

‎11-05-2004 03:15 PM

Thank you Patrick

I will use your post and I'll try adding:

icmp permit any unreachable outside

For MTU discover I believe is Type 3 Code 4 as on http://www.iana.org/assignments/icmp-parameters

I dont know if my VPN Contivity will like this but I'll try.

My config is:

Internet

|

|

router

|

|

pix---dmz---VPNcontivity

|.........................|

|.........................|

inside--------------

static (dmz,outside) VPN-Public VPN-DMZ netmask 255.255.255.255 0 0 norandomseq

Sincerely,

Armando

0 Helpful

hoangbp
Level 1
Level 1
In response to armandoferreira

‎11-05-2004 06:50 PM

Hi guys:

I just want to add to Patrick's post about how PIX handles ICMP. Don't forget that access-list (or the classic conduit) statements are used to permit/deny ICM P traffic going THROUGH the PIXes. ICMP command on the other hand handles ICMP traffic that terminate AT THE PIX INTERFACES.

For more information on the SYNTAX of these two commands, please check the PIX command reference below:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1026574

Thanks,

Binh

Customers Also Viewed These Support Documents