Pix 501 and ICMP

Mishra · May 2007

First thing, I am not great at Cisco...

Now for the help I need.

I need to allow ICMP traffic out to the internet so that I can finally troubleshoot when network outages happen. In my pix firewall, the only lines showing ICMP are this

icmp permit any inside
access-list msngr permit icmp any any

Now from what I know, which isn't much, those lines should do it. But I still cannot ping outside of our network. Any suggestions?

sprkymrk · May 2007

Is there a rule that might be conflicting with this? Perhaps a deny rule that comes first in the access list?

access-list msngr permit icmp any any

That should work.... as long as the access list is applied.

Mishra · May 2007

The only deny rule I see is

access-list hole deny ip any any

and that is after the ICMP rule was set.

Mishra · May 2007

Oh and I can only assume the access-list is applied because we had to reboot the pix and I haven't changed anything since I started working at this place (3 weeks ago).

sprkymrk · May 2007

I think if you do a show run you should see something like:

access-group msngr in interface interface name

That will tell you if the access list in question is in use.

Mishra · May 2007

sprkymrk wrote:

I think if you do a show run you should see something like:

access-group msngr in interface interface name

That will tell you if the access list in question is in use.

Ah, thanks. Both access-lists seem to be running.

access-group hole in interface outside
access-group msngr in interface inside

sprkymrk · May 2007

Well I hate to just make suggestions on messing with your production firewall w/o knowing exactly what all is on it, but you might try adding the line:

access-list hole permit icmp any any

Make sure it is above the deny ip line.
Just to see if it's being blocked there.

The best thing to do is to perform a packet **** on the pix while trying to ping or tracert from your workstation to something external and see if it's going out or not. If it is going out, is it coming back in? That might tell you where the problem is.

pr3d4t0r · May 2007

From my experience allowing icmp like any any is not so good.
I know that troubleshooting will be more difficult this way but it can save your network.
Allow specific icmp types only and from a specific host, e.g NMS or something.

I don't know how many of you happen to know backdoors that are triggered by icmp requests. After that reverse shell over 80 and gg.

The above is an advanced technique that works. (believe me).

sprkymrk · May 2007

pr3d4t0r wrote:

From my experience allowing icmp like any any is not so good.
I know that troubleshooting will be more difficult this way but it can save your network.
Allow specific icmp types only and from a specific host, e.g NMS or something.

I don't know how many of you happen to know backdoors that are triggered by icmp requests. After that reverse shell over 80 and gg.

The above is an advanced technique that works. (believe me).

Completely agree.

Just trying to get a basic working config first, then as you state it can be locked down by specifying type and even source/destination.

Mishra · May 2007

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

tech-airman · May 2007

Mishra wrote:

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

Mishra,

Disclaimer: I only know ACLs to the CCNA level.

If you're wanting to troubleshoot, aka ping FROM your desktop TO destinations on the internet, then wouldn't the following be better?

(config)# access-list hole permit icmp mydesktop any

Mishra · May 2007

tech-airman wrote:
Mishra wrote:

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

Mishra,

Disclaimer: I only know ACLs to the CCNA level.

If you're wanting to troubleshoot, aka ping FROM your desktop TO destinations on the internet, then wouldn't the following be better?
(config)# access-list hole permit icmp mydesktop any

I'm applying the access-list on the outside interface... Which would mean that I am trying to allow ICMP requests to be allowed to come to my desktop. I already allow all traffic to go outbound. So wouldn't the source be any and the destination be my desktop?

tech-airman · May 2007

Mishra wrote:
tech-airman wrote:
Mishra wrote:

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

Mishra,

Disclaimer: I only know ACLs to the CCNA level.

If you're wanting to troubleshoot, aka ping FROM your desktop TO destinations on the internet, then wouldn't the following be better?
(config)# access-list hole permit icmp mydesktop any
I'm applying the access-list on the outside interface... Which would mean that I am trying to allow ICMP requests to be allowed to come to my desktop. I already allow all traffic to go outbound. So wouldn't the source be any and the destination be my desktop?

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Mishra · May 2007

tech-airman wrote:

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Thanks for the responses. Yeah I need to be able to ping things that way that I can do pingpaths and/or tracert/traceroutes in order to see what traffic is doing in my network. If someone wants to somehow find my desktop and spam it then they are welcome to. ^_^ I think the firewall may still detect these events.

sprkymrk · May 2007

Mishra wrote:

tech-airman wrote:

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Thanks for the responses. Yeah I need to be able to ping things that way that I can do pingpaths and/or tracert/traceroutes in order to see what traffic is doing in my network. If someone wants to somehow find my desktop and spam it then they are welcome to. ^_^ I think the firewall may still detect these events.

Mishra:

If you want, on the outside access list, instead of allowing ICMP, allow the specific type of ICMP such as ICMP-echo-reply. That way it will not allow all types, like the ICMP-echo-request.

glorfindal2000 · May 2007

sprkymrk wrote:

Mishra wrote:

tech-airman wrote:

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Thanks for the responses. Yeah I need to be able to ping things that way that I can do pingpaths and/or tracert/traceroutes in order to see what traffic is doing in my network. If someone wants to somehow find my desktop and spam it then they are welcome to. ^_^ I think the firewall may still detect these events.

Mishra:

If you want, on the outside access list, instead of allowing ICMP, allow the specific type of ICMP such as ICMP-echo-reply. That way it will not allow all types, like the ICMP-echo-request.

Just to add to the above, you'll also want to allow these icmp types back through:

time-exceeded
unreachable

sprkymrk · May 2007

glorfindal2000 wrote:

sprkymrk wrote:

Mishra:

If you want, on the outside access list, instead of allowing ICMP, allow the specific type of ICMP such as ICMP-echo-reply. That way it will not allow all types, like the ICMP-echo-request.

Just to add to the above, you'll also want to allow these icmp types back through:

time-exceeded
unreachable

Good first post, thank you for chiming in!

Pix 501 and ICMP

Comments