Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
4
Replies

Is this normal?

r.lent
Level 1
Level 1

‎11-14-2003 03:56 AM - edited ‎03-09-2019 05:32 AM

Hi,

My PIX 515e is showing the following message in the PDM log:

Deny icmp src outside: (ip address) dst inside: (ip address) (type 8, code 0) by access-group 101.

Is this normal or should I be worried?

Thanks for any replies.

Robin.

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎11-14-2003 04:46 AM

Robin,

I see allot of these icmp deny messages, basically someone out there is sending icmp traffic on to your inside ip address - to state the obvious - but you firewall is doing exactly what it was configured to do i.e. STOP icmp sweeps etc. Is all of the icmp source address the same? If so then you can look up one of these addresses by going to www.whois.org and use the whois resources section to ascertain the owner/ISP of the ip address.

I doubt that all the source addresses are the same; unfortunately in this case you'll find it hard to track down the originator!! But as I mentioned before your PIX is doing its job correctly and denying all icmp traffic.

I wouldn't worry too much about these icmp traffic. One thing you can also do is to go to www.grc.com and use shields up service to check if there are any 'holes' on your firewall, this service I've used many times and it's secure and free.

Hope this helps and let me know if you need any further assistance.

Thanks - Jay.

0 Helpful

r.lent
Level 1
Level 1
In response to jmia

‎11-14-2003 06:28 AM

Many thanks for your reply Jay.

At least I know my firewall is doing what it should!!

I have tried a few of the IP addresses in whois and a lot of them are coming from Australia!!

I am tring to contact the ISP for these domains but do not hold out much hope of any response.

Thanks again for your help.

Robin.

0 Helpful

rrushing
Level 1
Level 1
In response to jmia

‎11-14-2003 11:27 AM

Quick followup question--

11-14-2003 19:14:55 Local5.Error 10.42.1.1 Nov 14 2003 13:17:02: %PIX-3-106011: Deny inbound (No xlate) icmp src inside:10.41.52.99 dst inside:10.38.127.6 (type 8, code 0)

10.41.52.99 is a valid network/host on my network. 10.38.127.6 does not live on my network anywhere.

I'm assuming that its an outside address on the Internet somewhere, but how can that be the case ?

Thanks--

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to rrushing

‎11-15-2003 12:14 AM

This is how the PIX is seeing this packet. Somehow this host at 10.41.52.99 tried to icmp to 10.38.127.6 address. since it is not falling in the same subnet range as of source host, the packet will come to pix and get discarded there.

Just a thought.

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents