RE: pix firwall

From: Andrew (arousch@xxxxxxxx)
Date: Fri Apr 27 2001 - 13:10:29 GMT-3

• Next message: crl: "Translational Bridging between Token Ring and Ethernet, IRB, and Various Routing Protocols"
• Previous message: Darek Kuzma: "Re: real world BGP question"
• Maybe in reply to: dongbiao lee: "pix firwall"
• Next in thread: Jeff.Kline@xxxxxxxxxxxxxxx: "RE: pix firwall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
The PIX automatically allows pings (or icmp for that matter) from the
inside (high security zone) to the outside (low security zone) because it's
an established connection. But, as stated before you need to explicitly
allow icmp through from a lower security level to a higher security
level. As far as pinging the outside interface from the inside; try 'ping
outside' from the PIX.

-A

At 10:41 AM 4/27/01 -0500, Jeff.Kline@ci.austin.tx.us wrote:
>Actually, the icmp conduit must be open already since the original e-mail
>says that ping from inside to an outside host works. If I remember (I read
>something about this on CCO, but can't seem to find it today), this is more
>an issue with the way the IP packets are forwarded in the PIX. Basically,
>the PIX will receive your inside packet with a destination of the outside
>subnet (specifically it's outside interface). The PIX then forwards this to
>the next hop you defined in your ip route outside statement (yes, even
>though it is for it's own interface), but you border router looks at it as
>being destined for that locally connected subnet, so it does not forward
>back to the pix and the packet is dropped. If you are trying to test PIX
>connectivity, just make sure that your inside host can ping the PIX inside
>and the PIX can ping the outside next hop. I'm not sure why the PIX doesn't
>just respond to the ping instead of forwarding that packet...
>
>-----Original Message-----
>From: Steve Munro [mailto:Steve.Munro@integralis.com]
>Sent: Friday, April 27, 2001 5:34 AM
>To: ccielab
>Subject: FW: pix firwall
>
>
>-----Original Message-----
>From: Steve Munro
>Sent: Friday, April 27, 2001 10:50 AM
>To: 'dongbiao lee'
>Subject: RE: pix firwall
>
>
>Unless you explicitly allow a ping to the firewall it will be denied -
>standard security policy
>
>
>
>-----Original Message-----
>From: dongbiao lee [mailto:dongbiao@yeah.net]
>Sent: Friday, April 27, 2001 10:41 AM
>To: ccielab@groupstudy.com
>Subject: pix firwall
>
>
>i devide the network into three zones: inside,dmz and outside.
>ican ping from a pc in the inside zone to the pc in the outside zone, but i
>can't ping
>from the inside pc to the pix interface of the outside. why?
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: crl: "Translational Bridging between Token Ring and Ethernet, IRB, and Various Routing Protocols"
• Previous message: Darek Kuzma: "Re: real world BGP question"
• Maybe in reply to: dongbiao lee: "pix firwall"
• Next in thread: Jeff.Kline@xxxxxxxxxxxxxxx: "RE: pix firwall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:59 GMT-3