From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Tue Aug 19 2008 - 03:17:54 ART
No not all, this is just disabling one of IDS signatures on the PIX (related
to ICMP/ping). I think it has only 59 signatures in total. The others will
remain on their default values.
Regards
Farrukh
On Tue, Aug 19, 2008 at 9:03 AM, Truman Ford <truman.ccie@gmail.com> wrote:
> Farrukh,
>
> Customer has IDS (Cyberom) connected to this pix, so will applying the
> below command effect the Cyberom.
>
>
>
>
> On 8/19/08, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
>>
>> Your have enabled the IDS feature built-in to the PIX. This is blocking
>> your pings.
>>
>> Do this:
>>
>> ip audit signature* **2004 *disable
>>
>> Regards
>>
>> Farrukh
>>
>>
>> On Tue, Aug 19, 2008 at 8:00 AM, Truman Ford <truman.ccie@gmail.com>wrote:
>>
>>> Hi Experts,
>>>
>>> I have faced a very strange problem with pix.
>>> The problem is that customer complained that he is not able to ping the
>>> inside IP of pix from the his LAN, but was able to do before.
>>> BUT able to ssh :).I checked in the pix that icmp is permited.
>>> As for troubleshooting, I directly connected the pix inside interface
>>> with
>>> the laptop with the same subnet ip of that pix inside, unfortunately not
>>> able to ping from laptop to inside ip of pix and viceversa.BUT able to do
>>> ssh from the laptop :) When I do the debug icmp in pix and ping the
>>> inside
>>> ip of pix from the directly connected laptop, I can see the following
>>> logs
>>> in the pix, where .2 is laptop ip address and .1 is pix inside ip
>>> address.
>>> Firewall is off in the laptop.
>>>
>>> Please help!!!!!!!!!!
>>>
>>>
>>> 400014: IDS:2004 ICMP echo request from 190.168.10.2 to 190.168.10.1 on
>>> interface inside
>>>
>>> 400014: IDS:2004 ICMP echo request from 190.168.10.2 to 190.168.10.1 on
>>> interface inside
>>>
>>> 400014: IDS:2004 ICMP echo request from 190.168.10.2 to 190.168.10.1 on
>>> interface inside
>>>
>>>
>>>
>>> PIX config (in short):
>>>
>>> PIX Version 6.3(5)127
>>> interface ethernet0 100full
>>> interface ethernet1 auto
>>> nameif ethernet0 outside security0
>>> nameif ethernet1 inside security100
>>> enable password xxx encrypted
>>> passwd xxxx encrypted
>>> hostname PIX
>>> domain-name pixfw
>>> clock timezone ist 12 30
>>> fixup protocol dns maximum-length 512
>>> fixup protocol ftp 21
>>> fixup protocol ftp 18001
>>> fixup protocol h323 h225 1720
>>> fixup protocol h323 ras 1718-1719
>>> fixup protocol http 80
>>> fixup protocol rsh 514
>>> fixup protocol rtsp 554
>>> fixup protocol sip 5060
>>> fixup protocol sip udp 5060
>>> fixup protocol skinny 2000
>>> fixup protocol smtp 25
>>> fixup protocol sqlnet 1521
>>> fixup protocol tftp 69
>>>
>>> access-list inside_access_in permit icmp any any echo
>>>
>>> access-group inside_access_in in interface inside
>>>
>>> ip address inside 190.168.10.1 255.255.255.0
>>>
>>> Thanks,
>>>
>>> Truman
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:31 ART