Pix 501 and ICMP

First thing, I am not great at Cisco...

Now for the help I need.

I need to allow ICMP traffic out to the internet so that I can finally troubleshoot when network outages happen. In my pix firewall, the only lines showing ICMP are this

icmp permit any inside
access-list msngr permit icmp any any

Now from what I know, which isn't much, those lines should do it. But I still cannot ping outside of our network. Any suggestions?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

sprkymrk

Is there a rule that might be conflicting with this? Perhaps a deny rule that comes first in the access list?

access-list msngr permit icmp any any

That should work.... as long as the access list is applied.

Mishra

The only deny rule I see is

access-list hole deny ip any any

and that is after the ICMP rule was set.

Mishra

Oh and I can only assume the access-list is applied because we had to reboot the pix and I haven't changed anything since I started working at this place (3 weeks ago).

sprkymrk

I think if you do a show run you should see something like:

access-group msngr in interface interface name

That will tell you if the access list in question is in use.

Mishra

sprkymrk wrote:

I think if you do a show run you should see something like:

access-group msngr in interface interface name

That will tell you if the access list in question is in use.

Ah, thanks. Both access-lists seem to be running.

access-group hole in interface outside
access-group msngr in interface inside

sprkymrk

Well I hate to just make suggestions on messing with your production firewall w/o knowing exactly what all is on it, but you might try adding the line:

access-list hole permit icmp any any

Make sure it is above the deny ip line.
Just to see if it's being blocked there.

The best thing to do is to perform a packet **** on the pix while trying to ping or tracert from your workstation to something external and see if it's going out or not. If it is going out, is it coming back in? That might tell you where the problem is.

pr3d4t0r

From my experience allowing icmp like any any is not so good.
I know that troubleshooting will be more difficult this way but it can save your network.
Allow specific icmp types only and from a specific host, e.g NMS or something.

I don't know how many of you happen to know backdoors that are triggered by icmp requests. After that reverse shell over 80 and gg.

The above is an advanced technique that works. (believe me).

sprkymrk

pr3d4t0r wrote:

From my experience allowing icmp like any any is not so good.
I know that troubleshooting will be more difficult this way but it can save your network.
Allow specific icmp types only and from a specific host, e.g NMS or something.

I don't know how many of you happen to know backdoors that are triggered by icmp requests. After that reverse shell over 80 and gg.

The above is an advanced technique that works. (believe me).

Completely agree.

Just trying to get a basic working config first, then as you state it can be locked down by specifying type and even source/destination.

Mishra

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

tech-airman

Mishra wrote:

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

Mishra,

Disclaimer: I only know ACLs to the CCNA level.

If you're wanting to troubleshoot, aka ping FROM your desktop TO destinations on the internet, then wouldn't the following be better?

(config)# access-list hole permit icmp mydesktop any

Mishra

tech-airman wrote:
Mishra wrote:

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

Mishra,

Disclaimer: I only know ACLs to the CCNA level.

If you're wanting to troubleshoot, aka ping FROM your desktop TO destinations on the internet, then wouldn't the following be better?
(config)# access-list hole permit icmp mydesktop any

I'm applying the access-list on the outside interface... Which would mean that I am trying to allow ICMP requests to be allowed to come to my desktop. I already allow all traffic to go outbound. So wouldn't the source be any and the destination be my desktop?

tech-airman

Mishra wrote:
tech-airman wrote:
Mishra wrote:

I went back to this subject today... Thinking about it a little more, I agree that you need to allow ICMP requests on the outside access list.

And I think I will use my desktop as the NMS.

I have a PIX 515 BTW. >_<

I think I will add

access-list hole permit icmp any mydesktop

then add a host entry in the pix since it isn't using DNS

Mishra,

Disclaimer: I only know ACLs to the CCNA level.

If you're wanting to troubleshoot, aka ping FROM your desktop TO destinations on the internet, then wouldn't the following be better?
(config)# access-list hole permit icmp mydesktop any
I'm applying the access-list on the outside interface... Which would mean that I am trying to allow ICMP requests to be allowed to come to my desktop. I already allow all traffic to go outbound. So wouldn't the source be any and the destination be my desktop?

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Mishra

tech-airman wrote:

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Thanks for the responses. Yeah I need to be able to ping things that way that I can do pingpaths and/or tracert/traceroutes in order to see what traffic is doing in my network. If someone wants to somehow find my desktop and spam it then they are welcome to. ^_^ I think the firewall may still detect these events.

sprkymrk

Mishra wrote:

tech-airman wrote:

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Thanks for the responses. Yeah I need to be able to ping things that way that I can do pingpaths and/or tracert/traceroutes in order to see what traffic is doing in my network. If someone wants to somehow find my desktop and spam it then they are welcome to. ^_^ I think the firewall may still detect these events.

Mishra:

If you want, on the outside access list, instead of allowing ICMP, allow the specific type of ICMP such as ICMP-echo-reply. That way it will not allow all types, like the ICMP-echo-request.

glorfindal2000

sprkymrk wrote:

Mishra wrote:

tech-airman wrote:

Mishra,

Yes, it is correct that the source be any and the destination be your desktop. However, that would also permit your desktop to be detected by anyone on the internet and also open your desktop to potential DoS or DDos attacks. It will have to be your decision if the cost of security is worth the benefit of the added capability.

Thanks for the responses. Yeah I need to be able to ping things that way that I can do pingpaths and/or tracert/traceroutes in order to see what traffic is doing in my network. If someone wants to somehow find my desktop and spam it then they are welcome to. ^_^ I think the firewall may still detect these events.

Mishra:

If you want, on the outside access list, instead of allowing ICMP, allow the specific type of ICMP such as ICMP-echo-reply. That way it will not allow all types, like the ICMP-echo-request.

Just to add to the above, you'll also want to allow these icmp types back through:

time-exceeded
unreachable

sprkymrk

glorfindal2000 wrote:

sprkymrk wrote:

Mishra:

If you want, on the outside access list, instead of allowing ICMP, allow the specific type of ICMP such as ICMP-echo-reply. That way it will not allow all types, like the ICMP-echo-request.

Just to add to the above, you'll also want to allow these icmp types back through:

time-exceeded
unreachable

Good first post, thank you for chiming in!