From: Jeff.Kline@xxxxxxxxxxxxxxx
Date: Fri Apr 27 2001 - 13:53:06 GMT-3
Sure it will. I have security 0 on the outside and I can ping from the edge
router's inside interface to the PIX outside with no problem (even without
the permit icmp conduit). All other outside sourced pings fail, as they
should without the conduit. I will try to find the link on CCO, but I am
pretty sure that the problem is with the PIX forwarding that ping request to
the outside subnet, where it gets dropped.
-----Original Message-----
From: chris@pacinter.net [mailto:chris@pacinter.net]
Sent: Friday, April 27, 2001 11:04 AM
To: Kline, Jeff; Steve.Munro@integralis.com; ccielab@groupstudy.com
Subject: Re: pix firwall
The PIX will not respond to a ping to its local interface with the security
0 command in place for that interface. Make sure the DMZ interface your
trying to ping is not in security 0
----- Original Message -----
From: <Jeff.Kline@ci.austin.tx.us>
To: <Steve.Munro@integralis.com>; <ccielab@groupstudy.com>
Sent: Friday, April 27, 2001 8:41 AM
Subject: RE: pix firwall
> Actually, the icmp conduit must be open already since the original e-mail
> says that ping from inside to an outside host works. If I remember (I
read
> something about this on CCO, but can't seem to find it today), this is
more
> an issue with the way the IP packets are forwarded in the PIX. Basically,
> the PIX will receive your inside packet with a destination of the outside
> subnet (specifically it's outside interface). The PIX then forwards this
to
> the next hop you defined in your ip route outside statement (yes, even
> though it is for it's own interface), but you border router looks at it as
> being destined for that locally connected subnet, so it does not forward
> back to the pix and the packet is dropped. If you are trying to test PIX
> connectivity, just make sure that your inside host can ping the PIX inside
> and the PIX can ping the outside next hop. I'm not sure why the PIX
doesn't
> just respond to the ping instead of forwarding that packet...
>
> -----Original Message-----
> From: Steve Munro [mailto:Steve.Munro@integralis.com]
> Sent: Friday, April 27, 2001 5:34 AM
> To: ccielab
> Subject: FW: pix firwall
>
>
> -----Original Message-----
> From: Steve Munro
> Sent: Friday, April 27, 2001 10:50 AM
> To: 'dongbiao lee'
> Subject: RE: pix firwall
>
>
> Unless you explicitly allow a ping to the firewall it will be denied -
> standard security policy
>
>
>
> -----Original Message-----
> From: dongbiao lee [mailto:dongbiao@yeah.net]
> Sent: Friday, April 27, 2001 10:41 AM
> To: ccielab@groupstudy.com
> Subject: pix firwall
>
>
> i devide the network into three zones: inside,dmz and outside.
> ican ping from a pc in the inside zone to the pc in the outside zone, but
i
> can't ping
> from the inside pc to the pix interface of the outside. why?
>
> dongbiao lee
> dongbiao@yeah.net
> **Please read:http://www.groupstudy.com/list/posting.html
> Integralis
> Theale House
> Brunel Road
> Theale, Reading
> RG7 4AQ
> +44 (0) 118 9306060
>
> A member of the Articon-Integralis Group
>
> info@Integralis.com
> http://www.integralis.com
>
>
> DISCLAIMER
> Any opinions expressed in this email are those of the individual and not
> necessarily the Company. This email and any files transmitted with it,
> including replies and forwarded copies (which may contain alterations)
> subsequently transmitted from the Company, are confidential and solely for
> the use of the intended recipient. It may contain material protected by
> attorney-client privilege. If you are not the intended recipient or the
> person responsible for delivering to the intended recipient, be advised
that
> you have received this email in error and that any use is strictly
> prohibited.
>
> If you have received this email in error please notify the IT manager by
> telephone on +44 (0)118 930 6060 or via email to
> internal.security@integralis.com, including a copy of this message. Please
> then delete this email and destroy any copies of it.
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:59 GMT-3