ICMP Through the PIX Firewall | CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)

By default, the PIX firewall blocks all ICMP traffic such as trace routes and pings . The two points at which ICMP traffic is directed are when passing through the PIX and when directed at the PIX. The PIX blocks both. Table 6.16 displays some of the ICMP message numbers that can be used on the PIX.

Table 6.16. ICMP Message Numbers

Message Number	Cisco Parameter
	echo-reply
3	unreachable
4	source-quench
5	redirect
8	echo
11	time-exceeded
12	parameter-problem
13	timestamp-request
14	timestamp-reply
15	information-request
16	information-reply

Outbound ICMP Traffic

The PIX allows ICMP traffic to pass from higher security levels to lower security levels but blocks ICMP traffic from lower security level interfaces to higher security level interfaces. To allow ICMP traffic to flow both ways, you need to configure a static translation and use a conduit or ACL command.

The following two steps are needed to permit returning ICMP ping traffic to pass back to the source:

Create a static mapping.
Use an access-list or conduit command to allow ICMP traffic to pass. If you use the access-list command, you also must use the access- group command to link it to an interface.

Listing 6.21 demonstrates how to permit return traffic from the outside interface to ping traffic on the inside.

Listing 6.21 Using the conduit Command to Allow ICMP Traffic In

[View full width]

 Pixfirewall(config)# static (inside,outside) 169.254.8.1 192.168.1.11 netmask 255.255.255  .255 0 0 Pixfirewall(config)# Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0  echo-reply Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0  source-quench Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0  unreachable Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0  time-exceeded

Listing 6.22 demonstrates how to permit return traffic from the outside interface to ping traffic on the inside using the access-list command.

Listing 6.22 Using the access-list Command to Allow ICMP Traffic In

[View full width]

 Pixfirewall(config)# static (inside,outside) 169.254.8.1 192.168.1.11 netmask 255.255.255  .255 0 0 Pixfirewall(config)# Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 echo-reply Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 source-quench Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 unreachable Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 time-exceeded Pixfirewall(config)# access-group 100 in interface outside

ICMP Directed at the PIX

The PIX firewall can be set to block ICMP traffic directed at it. This allows the PIX to reject responses to ICMP requests; as a result it is more difficult for hackers to discover the firewall. To allow the firewall to respond to ICMP traffic requests , you must use the icmp command instead of an ACL command. The following is the syntax for the icmp command:

 pixfirewall(config)# [no] icmp permitdeny <ip-address> <net-mask> [<icmp-type>] <if-name> pixfirewall(config)# [clearshow] icmp

Table 6.17 displays the options available for the icmp command.

Table 6.17. icmp Command Options

Option	Function
permitdeny	This permits or denies ICMP traffic.
ip-address	This is the source IP address of the ICMP traffic.
net-mask	This is the mask of the allowed traffic. 255.255.255.255 would allow only a specific IP address.
icmp-type	This is the type of ICMP traffic, such as echo-reply or unreachable .
if-name	This is the name of the interface to which the ICMP entry is applied.

The following command allows the outside interface to respond to ping requests on the outside interface:

 icmp permit any echo outside

To deny ICMP traffic on the outside interface, the following command is necessary:

 icmp deny any echo outside