Re: pix firwall

From: Todd Veillette (tveillette@xxxxxxxx)
Date: Fri Apr 27 2001 - 22:19:54 GMT-3

• Next message: Randy Feliz: "Re: ip classless"
• Previous message: Jason1: "Re: Limit to Static Routes?"
• Maybe in reply to: dongbiao lee: "pix firwall"
• Next in thread: Jeff K.: "Re: pix firwall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I disagree with your forwarding theory. With a standard "conduit permit icmp
any any" all hosts all interfaces are reachable. There can be other external
factors that would not allow reachability, all of which are solvable.

----- Original Message -----
From: <Jeff.Kline@ci.austin.tx.us>
To: <chris@pacinter.net>; <Steve.Munro@integralis.com>;
<ccielab@groupstudy.com>
Sent: Friday, April 27, 2001 12:53 PM
Subject: RE: pix firwall

> Sure it will. I have security 0 on the outside and I can ping from the
edge
> router's inside interface to the PIX outside with no problem (even without
> the permit icmp conduit). All other outside sourced pings fail, as they
> should without the conduit. I will try to find the link on CCO, but I am
> pretty sure that the problem is with the PIX forwarding that ping request
to
> the outside subnet, where it gets dropped.
>
> -----Original Message-----
> From: chris@pacinter.net [mailto:chris@pacinter.net]
> Sent: Friday, April 27, 2001 11:04 AM
> To: Kline, Jeff; Steve.Munro@integralis.com; ccielab@groupstudy.com
> Subject: Re: pix firwall
>
>
> The PIX will not respond to a ping to its local interface with the
security
> 0 command in place for that interface. Make sure the DMZ interface your
> trying to ping is not in security 0
> ----- Original Message -----
> From: <Jeff.Kline@ci.austin.tx.us>
> To: <Steve.Munro@integralis.com>; <ccielab@groupstudy.com>
> Sent: Friday, April 27, 2001 8:41 AM
> Subject: RE: pix firwall
>
>
> > Actually, the icmp conduit must be open already since the original
e-mail
> > says that ping from inside to an outside host works. If I remember (I
> read
> > something about this on CCO, but can't seem to find it today), this is
> more
> > an issue with the way the IP packets are forwarded in the PIX.
Basically,
> > the PIX will receive your inside packet with a destination of the
outside
> > subnet (specifically it's outside interface). The PIX then forwards
this
> to
> > the next hop you defined in your ip route outside statement (yes, even
> > though it is for it's own interface), but you border router looks at it
as
> > being destined for that locally connected subnet, so it does not forward
> > back to the pix and the packet is dropped. If you are trying to test
PIX
> > connectivity, just make sure that your inside host can ping the PIX
inside
> > and the PIX can ping the outside next hop. I'm not sure why the PIX
> doesn't
> > just respond to the ping instead of forwarding that packet...
> >
> > -----Original Message-----
> > From: Steve Munro [mailto:Steve.Munro@integralis.com]
> > Sent: Friday, April 27, 2001 5:34 AM
> > To: ccielab
> > Subject: FW: pix firwall
> >
> >
> > -----Original Message-----
> > From: Steve Munro
> > Sent: Friday, April 27, 2001 10:50 AM
> > To: 'dongbiao lee'
> > Subject: RE: pix firwall
> >
> >
> > Unless you explicitly allow a ping to the firewall it will be denied -
> > standard security policy
> >
> >
> >
> > -----Original Message-----
> > From: dongbiao lee [mailto:dongbiao@yeah.net]
> > Sent: Friday, April 27, 2001 10:41 AM
> > To: ccielab@groupstudy.com
> > Subject: pix firwall
> >
> >
> > i devide the network into three zones: inside,dmz and outside.
> > ican ping from a pc in the inside zone to the pc in the outside zone,
but
> i
> > can't ping
> > from the inside pc to the pix interface of the outside. why?
> >
> > dongbiao lee
> > dongbiao@yeah.net
> > **Please read:http://www.groupstudy.com/list/posting.html
> > Integralis
> > Theale House
> > Brunel Road
> > Theale, Reading
> > RG7 4AQ
> > +44 (0) 118 9306060
> >
> > A member of the Articon-Integralis Group
> >
> > info@Integralis.com
> > http://www.integralis.com
> >
> >
> > DISCLAIMER
> > Any opinions expressed in this email are those of the individual and not
> > necessarily the Company. This email and any files transmitted with it,
> > including replies and forwarded copies (which may contain alterations)
> > subsequently transmitted from the Company, are confidential and solely
for
> > the use of the intended recipient. It may contain material protected by
> > attorney-client privilege. If you are not the intended recipient or the
> > person responsible for delivering to the intended recipient, be advised
> that
> > you have received this email in error and that any use is strictly
> > prohibited.
> >
> > If you have received this email in error please notify the IT manager by
> > telephone on +44 (0)118 930 6060 or via email to
> > internal.security@integralis.com, including a copy of this message.
Please
> > then delete this email and destroy any copies of it.
> > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Randy Feliz: "Re: ip classless"
• Previous message: Jason1: "Re: Limit to Static Routes?"
• Maybe in reply to: dongbiao lee: "pix firwall"
• Next in thread: Jeff K.: "Re: pix firwall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:00 GMT-3