[c-nsp] Query about ICMP handling by a PIX

Amol Sapkal amolsapkal at gmail.com
Sat Aug 26 15:17:21 EDT 2006 

My apologies.. I must have mentioned this before:

I used ver 7.0 and 7.2(2)



-Amol




On 8/27/06, Tony Varriale <tvarriale at comcast.net> wrote:
>
> 1. I don't know of any way to clear an individual ICMP conn.
>
> 2. For PIXOS 6.3 and below it's well known that there is no stateful
> inspection for ICMP.  Hence, the adding of the ACE for the respective
> return
> ICMP type as you have found.  ASA/PIX OS 7.x has stateful ICMP inspection.
>
> HTH!
>
> tv
> ----- Original Message -----
> From: "Amol Sapkal" <amolsapkal at gmail.com>
> To: "cisco-nsp" <cisco-nsp at puck.nether.net>
> Sent: Saturday, August 26, 2006 1:31 AM
> Subject: [c-nsp] Query about ICMP handling by a PIX
>
>
> > Hi all,
> >
> > I have two queries related to Cisco PIX:
> >
> > 1:
> > Is there any way to clear a particular connection from the connections
> > table? Clearing xlate will help for TCP/UDP connections. Strangely, the
> > PIX
> > makes an entry for ICMP too in the connections table. Is there any way
> to
> > clear an ICMP entry?
> >
> > 2:
> > Secondly, how does the PIX look at ICMP? Let's say, I initiate a ping
> > (ICMP
> > echo) from Inside (security level - 100) to a server on a DMZ (security
> > level - 50). I have not applied any ACLs on either of the interfaces.
> >
> > Rules:
> > Inside: 100
> > DMZ: 50
> > No ACLs
> >
> > By rule, as the traffic originated from a more secure n/w, the PIX
> should
> > allow the return 'ICMP echo-reply' traffic to enter the 'Inside'
> > interface.
> > But this does not happen, until I apply an ACL (DMZ-ACL) on the
> interface
> > 'DMZ', which specifically permits ICMP echo-reply.
> > My understanding is that the PIX would remember that the traffic is
> > originating from a more secure network (Again, an ICMP entry wouldn't go
> > in
> > the Stateful table, as it is not TCP/UDP)
> >
> > Is the PIX handling TCP/UDP and ICMP traffics in different ways?
> >
> >
> >
> >
> > --
> > Warm regards,
> >
> > Amol Sapkal
> >
> > -------------------------------------------------------------------
> > "When I'm not in my right mind, my left mind
> > gets pretty crowded"
> > -------------------------------------------------------------------
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>


-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------

More information about the cisco-nsp mailing list