Re: unable to ping behind cisco pix firewall even no deny access list

[Alexander Lukyanenko <sashman () ua fm>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Hilal,
Saturday, December 6, 2003, 5:58:43 PM, you wrote:

HH> I can browse the internet, telnet, msn, chating, but I CAN"T do ping any
HH> internet host (like yahoo, or cnn)
This is a pretty typical behavior.
The ICMP (ping) packets get dropped somewhere along the path.
It may be your firewall that disallows ICMP Echo Requests and
Responses.
It may be your ISP.
It may be the target host (like yahoo.com and microsoft.com in fact DO block ICMP).

HH> and also some users can't access the
HH> internet web based BANK LOGGIN ACCOUNT, and maybe other internet services!
Open the 443/TCP (outbound) port on the firewall, if it is not open
already. That would allow the users from inside the network to connect to the
HTTP Secure port (https://) on the outside machines, such as e-finance
servers.

HH> if not, let me add some points that might make things clearer.
Please specify what machines are on the network, what OSes are
running, are they patched in time (especially the case with Windows
systems), do the IP addresses belong to the private subnets? (do the
IPs start with 10 or 192.168?).

HH> Our network
HH> has been infected and still infected by a virus that is using one of the
HH> pc's to generate lots of arp traffics which is affecting the whole network
HH> throughput.
A common practice is to unplug the infected machines from the network
and not to connect them back until they are all cleaned up and double
checked. I urge you to do that now. You can save yourself a lot of
headache in the future if you will deal with incidents as soon as they
appear.

HH>  could this be overwhelming the firewall buffer ? nevertheless, I
HH> reboot the cisco pix firewall, but the problem still the same, NO CHANGES.
It may be flooding the ARP table of the firewall.
(AFAIR, someone have recently asked how to flood the ARP table of a Cisco)

HH> Moreover, I am using the Kiwi Syslog Daemon software to audit logs of the
HH> pix firewall, but it is not giving anything on the screen as it is saying
HH> "unable to open UDP socket on port 514".
What OS do the Kiwi syslogd run at? Is the system secure?

HH> Please tell me, is this issue related to the aboved mentioned issue or what?
HH> if not, how to resolve it, knowing that i installed Fport and it showed me
HH> that udp port is already used by the sytem, with no service name mentioned.


HH> I wish you are not confused with these junk of issues, maybe it is related
HH> maybe not, but all i want to say that it happened all at once, and i am not
HH> able to figure out what could be the resolution steps.


* * * * * * * * * * * * * * *
* Alexander V. Lukyanenko   *
* ma1lt0: sashman ua fm     *
* ICQ#  : 86195208          *
* Phone : +380 44 458 07 23 *
* OpenPGP key ID: 75EC057C  *
* NIC   : SASH4-UANIC       *
* * * * * * * * * * * * * * *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQE/0j1Llz+8e3XsBXwRAiuSAKCdxpWeEzv/GIAIN9vyu1M1H0qVIgCeLXVW
6wKHIMH1fvZjc4x/TccFdvo=
=Utka
-----END PGP SIGNATURE-----