Re: ICMP

tonny_ecmyy · ‎01-18-2005

Hi,

I'm using site to site VPN, Branch A has an IP address 192.168.1.0 and Branch B has an IP address 192.168.2.0.

Branch A

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0

Branch B

access-list NONAT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Now, How do I only allow Pinging between 192.168.1.0 network and 192.168.2.0 and denied other ICMP?

Thanks

Tonny

turnbull · ‎01-18-2005

Hi Tonny,

The IPSEC access lists don't restrict traffic. they are used to signify interesting traffic for the VPN. Create an access list on the inside interfaces of the pix' to restrict traffic as required including ICMP.

Cheers,

Paul.

scoclayton · ‎01-18-2005

Excellent advice and probably the best answer. BUT, I will throw another idea out there. As Paul mentioned, blocking/permitting the traffic on the inside interface of the PIX is your best bet but I believe you can specify ICMP in the crypto ACL so that only ICMP traffic is tunneled. I know you can do this with L4 information with TCP and UDP traffic, just not sure if it works for other IP protocols.

If you want, make your crypto ACL's look like this:

Branch A

access-list 100 permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Branch B

access-list 100 permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

(I may have these addresses wrong so don't go by that - I'm too lazy to look back at the original post).

If this doesn't work, disregard and go with what Paul said.

Later,

Scott

tony_ecmyy · ‎01-19-2005

Hello,

Wonder why i still can't ping between the 2 network,

should i apply access-list acl_in permit icmp?

here's my basic config:

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pix501

domain-name xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list NONAT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NONAT permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.

0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list NONAT

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.2.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set kkset esp-3des esp-md5-hmac

crypto map tomiri 10 ipsec-isakmp

crypto map tomiri 10 match address NONAT

crypto map tomiri 10 set peer 218.***.***.***

crypto map tomiri 10 set transform-set kkset

crypto map tomiri interface outside

isakmp enable outside

isakmp key ******** address 218.***.***.*** netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

thanks

Tonny