Re: PIX 515 7.1 vs: 8.0

["Christopher J. Wargaski" <wargo1 () gmail com>]

Hey Brian--

   Pings going through a work a little differently than other traffic like,
say, TCP. With TCP and UDP return traffic is implicitly allowed through the
PIX *if* the PIX can identify what "connection" or "session" it belongs to.
This is why you do not have to explicitly allow return traffic on the
outside interface.

   That is not the case with ICMP. With ICMP, you must allow echo-replies on
the DMZ or outsize interfaces. For example, on a PIX that only services
traffic originating from the inside interface to the outside interface, I
want ping and traceroute to work. So I have this ACL applied to the outside
interface.

access-list Inbound extended permit icmp any any echo-reply
access-list Inbound extended permit icmp any any time-exceeded

   You would need to do the same with an ACL applied to the DMZ interface.


cjw


On Sat, Mar 19, 2011 at 9:04 PM, Brian Blater <brb.lists () gmail com> wrote:

> On Sat, Mar 19, 2011 at 3:41 PM, Christopher J. Wargaski
> <wargo1 () gmail com> wrote:
> One new question about this is if my inside interface is a security
> 100 and my dmz is a security 50 and I have no ACL defined on the
> inside interface, how come a ping from the inside to the a device on
> the dmz does not work? The only ACLs on the inside are the implicit
> rules any to any less secure and any any deny. Is it that I would need
> to have an additional rule on the dmz to allow icmp from the inside to
> the dmz?
>
> Thank you for the help. If you can't tell, I know enough to be
> dangerous, but certainly not enough to be a guru at this.
>
> Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards