RE: pix firwall

From: Jeff.Kline@xxxxxxxxxxxxxxx
Date: Fri Apr 27 2001 - 12:41:50 GMT-3

   
Actually, the icmp conduit must be open already since the original e-mail
says that ping from inside to an outside host works. If I remember (I read
something about this on CCO, but can't seem to find it today), this is more
an issue with the way the IP packets are forwarded in the PIX. Basically,
the PIX will receive your inside packet with a destination of the outside
subnet (specifically it's outside interface). The PIX then forwards this to
the next hop you defined in your ip route outside statement (yes, even
though it is for it's own interface), but you border router looks at it as
being destined for that locally connected subnet, so it does not forward
back to the pix and the packet is dropped. If you are trying to test PIX
connectivity, just make sure that your inside host can ping the PIX inside
and the PIX can ping the outside next hop. I'm not sure why the PIX doesn't
just respond to the ping instead of forwarding that packet...

-----Original Message-----
From: Steve Munro [mailto:Steve.Munro@integralis.com]
Sent: Friday, April 27, 2001 5:34 AM
To: ccielab
Subject: FW: pix firwall

-----Original Message-----
From: Steve Munro
Sent: Friday, April 27, 2001 10:50 AM
To: 'dongbiao lee'
Subject: RE: pix firwall

Unless you explicitly allow a ping to the firewall it will be denied -
standard security policy

-----Original Message-----
From: dongbiao lee [mailto:dongbiao@yeah.net]
Sent: Friday, April 27, 2001 10:41 AM
To: ccielab@groupstudy.com
Subject: pix firwall

i devide the network into three zones: inside,dmz and outside.
ican ping from a pc in the inside zone to the pc in the outside zone, but i
can't ping
from the inside pc to the pix interface of the outside. why?

            dongbiao lee
            dongbiao@yeah.net
**Please read:http://www.groupstudy.com/list/posting.html
Integralis
Theale House
Brunel Road
Theale, Reading
RG7 4AQ
+44 (0) 118 9306060

A member of the Articon-Integralis Group

info@Integralis.com
http://www.integralis.com

DISCLAIMER
Any opinions expressed in this email are those of the individual and not
necessarily the Company. This email and any files transmitted with it,
including replies and forwarded copies (which may contain alterations)
subsequently transmitted from the Company, are confidential and solely for
the use of the intended recipient. It may contain material protected by
attorney-client privilege. If you are not the intended recipient or the
person responsible for delivering to the intended recipient, be advised that
you have received this email in error and that any use is strictly
prohibited.

If you have received this email in error please notify the IT manager by
telephone on +44 (0)118 930 6060 or via email to
internal.security@integralis.com, including a copy of this message. Please
then delete this email and destroy any copies of it.
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:59 GMT-3