10-14-2001 06:16 AM - edited 02-20-2020 09:16 PM
Hi,
I have problem to configure PIX to permit
connection from higher to lower security.
I use command nat 0 and access-list 101 permit
statement and
applied the access-list to the interface with
"access-group 101 in interface inside".
But even a ping to the outside server which defined
in the access-list doesn`t replied back (the
server has a default-gateway to PIX outside intf).
With a debug icmp trace, I can see that the
echo-request going through PIX, but I can`t see
echo-reply back to the PIX! I wonder if the PIX silently drop the echo-reply ???
Searching on the Bug Navigator doesn`t hit any bugs regarding this problem.
Some reading on a Cisco mailing-list reveals that the NAT 0 command is not so stable (nat 0 works for a while and it dies). Is this true ? Anyone experience problem with nat 0 command on 5.x series ?
Appreciate for any help.
Regards.
10-15-2001 03:57 AM
ICMP packets are dropped from outside to inside interfaces. You should use an access-list on the outside interface to permit ICMP reply into the inside.
10-15-2001 06:36 AM
Thanks mazhar,
Thats help me. Should create another access-list on the outside intf to permit the icmp-reply back to the sender!
I was thinking since the PIX already knew the source and destination for ICMP-request, it should permit the ICMP-reply back from destination to the sender.
Why PIX treats icmp-request and icmp-reply as different sessions ?
10-15-2001 02:31 PM
Because they are completely different packets. ICMP is stateless!
10-16-2001 04:24 AM
However, ICMP echo reply packets do contain enough information to indicate that they are infact replies to valid requests, and not false replies.
This can be achieved using the Identifier and Sequence number fields sent in the echo request packet, that should be returned in the echo reply message.
If firewalling devices checked this, then tools like loki (and its many variants) would have more difficulty running.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide