[c-nsp] Query about ICMP handling by a PIX
Amol Sapkal
amolsapkal at gmail.com
Sat Aug 26 02:31:18 EDT 2006
Hi all,
I have two queries related to Cisco PIX:
1:
Is there any way to clear a particular connection from the connections
table? Clearing xlate will help for TCP/UDP connections. Strangely, the PIX
makes an entry for ICMP too in the connections table. Is there any way to
clear an ICMP entry?
2:
Secondly, how does the PIX look at ICMP? Let's say, I initiate a ping (ICMP
echo) from Inside (security level - 100) to a server on a DMZ (security
level - 50). I have not applied any ACLs on either of the interfaces.
Rules:
Inside: 100
DMZ: 50
No ACLs
By rule, as the traffic originated from a more secure n/w, the PIX should
allow the return 'ICMP echo-reply' traffic to enter the 'Inside' interface.
But this does not happen, until I apply an ACL (DMZ-ACL) on the interface
'DMZ', which specifically permits ICMP echo-reply.
My understanding is that the PIX would remember that the traffic is
originating from a more secure network (Again, an ICMP entry wouldn't go in
the Stateful table, as it is not TCP/UDP)
Is the PIX handling TCP/UDP and ICMP traffics in different ways?
--
Warm regards,
Amol Sapkal
-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------
More information about the cisco-nsp
mailing list