RE: unable to ping behind cisco pix firewall even no deny access list

["Charlie Winckless" <charliew () netarch com>]

> -----Original Message-----
> From: Hilal Hussein [mailto:hilalma () hotmail com]
> Sent: Saturday, December 06, 2003 8:59 AM
> To: security-basics () securityfocus com
> Cc: sashman () ua fm; sjackson () horizonusa com

Comments in-line, below...

> Till now, we are ok, let me list the problems and the crazy issues:
>
> I can browse the internet, telnet, msn, chating, but I CAN"T 
> do ping any 
> internet host (like yahoo, or cnn) and also some users can't 
> access the 
> internet web based BANK LOGGIN ACCOUNT, and maybe other 
> internet services!

On the PIX, ping (or any ICMP) is not stateful. 
You'll have to explicitly allow the ICMP types that 
you wish into your network with an ACL.

I generally allow echo-reply (depending on the policy of the
customer w.r.t clients being able to ping), unreachable, 
time-exceeded and parameter-problem.

GES.
> Moreover, I am using the Kiwi Syslog Daemon software to audit 
> logs of the 
> pix firewall, but it is not giving anything on the screen as 
> it is saying 
> "unable to open UDP socket on port 514".
> Please tell me, is this issue related to the aboved mentioned 
> issue or what?
> if not, how to resolve it, knowing that i installed Fport and 
> it showed me 
> that udp port is already used by the sytem, with no service 
> name mentioned.

514/UDP would be syslog. Some other syslog daemon apparently
has it grabbed. If you get Vision from Foundstone, it may
well tell you what's up.

As to the individual sites that are causing issues: do you
have any common theme? Do you have activeX or java filtering
on the PIX enabled?

> Regards,
> Hilal

-- Charlie

---------------------------------------------------------------------------
----------------------------------------------------------------------------