Security Basics mailing list archives
RE: unable to ping behind cisco pix firewall even no deny access list
From: "Charlie Winckless" <charliew () netarch com>
Date: Mon, 8 Dec 2003 14:04:31 -0700
-----Original Message----- From: Hilal Hussein [mailto:hilalma () hotmail com] Sent: Saturday, December 06, 2003 8:59 AM To: security-basics () securityfocus com Cc: sashman () ua fm; sjackson () horizonusa com
Comments in-line, below...
Till now, we are ok, let me list the problems and the crazy issues: I can browse the internet, telnet, msn, chating, but I CAN"T do ping any internet host (like yahoo, or cnn) and also some users can't access the internet web based BANK LOGGIN ACCOUNT, and maybe other internet services!
On the PIX, ping (or any ICMP) is not stateful. You'll have to explicitly allow the ICMP types that you wish into your network with an ACL. I generally allow echo-reply (depending on the policy of the customer w.r.t clients being able to ping), unreachable, time-exceeded and parameter-problem. GES.
Moreover, I am using the Kiwi Syslog Daemon software to audit logs of the pix firewall, but it is not giving anything on the screen as it is saying "unable to open UDP socket on port 514". Please tell me, is this issue related to the aboved mentioned issue or what? if not, how to resolve it, knowing that i installed Fport and it showed me that udp port is already used by the sytem, with no service name mentioned.
514/UDP would be syslog. Some other syslog daemon apparently has it grabbed. If you get Vision from Foundstone, it may well tell you what's up. As to the individual sites that are causing issues: do you have any common theme? Do you have activeX or java filtering on the PIX enabled?
Regards, Hilal
-- Charlie --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- unable to ping behind cisco pix firewall even no deny access list Hilal Hussein (Dec 08)
- Re: unable to ping behind cisco pix firewall even no deny access list Alexander Lukyanenko (Dec 08)
- <Possible follow-ups>
- RE: unable to ping behind cisco pix firewall even no deny access list Charlie Winckless (Dec 09)