[c-nsp] Query about ICMP handling by a PIX
Tony Varriale
tvarriale at comcast.net
Sat Aug 26 14:59:01 EDT 2006
1. I don't know of any way to clear an individual ICMP conn.
2. For PIXOS 6.3 and below it's well known that there is no stateful
inspection for ICMP. Hence, the adding of the ACE for the respective return
ICMP type as you have found. ASA/PIX OS 7.x has stateful ICMP inspection.
HTH!
tv
----- Original Message -----
From: "Amol Sapkal" <amolsapkal at gmail.com>
To: "cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Saturday, August 26, 2006 1:31 AM
Subject: [c-nsp] Query about ICMP handling by a PIX
> Hi all,
>
> I have two queries related to Cisco PIX:
>
> 1:
> Is there any way to clear a particular connection from the connections
> table? Clearing xlate will help for TCP/UDP connections. Strangely, the
> PIX
> makes an entry for ICMP too in the connections table. Is there any way to
> clear an ICMP entry?
>
> 2:
> Secondly, how does the PIX look at ICMP? Let's say, I initiate a ping
> (ICMP
> echo) from Inside (security level - 100) to a server on a DMZ (security
> level - 50). I have not applied any ACLs on either of the interfaces.
>
> Rules:
> Inside: 100
> DMZ: 50
> No ACLs
>
> By rule, as the traffic originated from a more secure n/w, the PIX should
> allow the return 'ICMP echo-reply' traffic to enter the 'Inside'
> interface.
> But this does not happen, until I apply an ACL (DMZ-ACL) on the interface
> 'DMZ', which specifically permits ICMP echo-reply.
> My understanding is that the PIX would remember that the traffic is
> originating from a more secure network (Again, an ICMP entry wouldn't go
> in
> the Stateful table, as it is not TCP/UDP)
>
> Is the PIX handling TCP/UDP and ICMP traffics in different ways?
>
>
>
>
> --
> Warm regards,
>
> Amol Sapkal
>
> -------------------------------------------------------------------
> "When I'm not in my right mind, my left mind
> gets pretty crowded"
> -------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list