By default, the PIX firewall blocks all ICMP traffic such as trace routes and pings . The two points at which ICMP traffic is directed are when passing through the PIX and when directed at the PIX. The PIX blocks both. Table 6.16 displays some of the ICMP message numbers that can be used on the PIX. Table 6.16. ICMP Message Numbers
Outbound ICMP TrafficThe PIX allows ICMP traffic to pass from higher security levels to lower security levels but blocks ICMP traffic from lower security level interfaces to higher security level interfaces. To allow ICMP traffic to flow both ways, you need to configure a static translation and use a conduit or ACL command. The following two steps are needed to permit returning ICMP ping traffic to pass back to the source:
Listing 6.21 demonstrates how to permit return traffic from the outside interface to ping traffic on the inside. Listing 6.21 Using the conduit Command to Allow ICMP Traffic In [View full width] Pixfirewall(config)# static (inside,outside) 169.254.8.1 192.168.1.11 netmask 255.255.255 .255 0 0 Pixfirewall(config)# Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0 source-quench Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0 unreachable Pixfirewall(config)# conduit permit icmp 169.254.8.1 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded Listing 6.22 demonstrates how to permit return traffic from the outside interface to ping traffic on the inside using the access-list command. Listing 6.22 Using the access-list Command to Allow ICMP Traffic In [View full width] Pixfirewall(config)# static (inside,outside) 169.254.8.1 192.168.1.11 netmask 255.255.255 .255 0 0 Pixfirewall(config)# Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 echo-reply Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 source-quench Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 unreachable Pixfirewall(config)# access-list 100 permit icmp any host 169.254.8.1 time-exceeded Pixfirewall(config)# access-group 100 in interface outside ICMP Directed at the PIXThe PIX firewall can be set to block ICMP traffic directed at it. This allows the PIX to reject responses to ICMP requests; as a result it is more difficult for hackers to discover the firewall. To allow the firewall to respond to ICMP traffic requests , you must use the icmp command instead of an ACL command. The following is the syntax for the icmp command: pixfirewall(config)# [no] icmp permitdeny <ip-address> <net-mask> [<icmp-type>] <if-name> pixfirewall(config)# [clearshow] icmp Table 6.17 displays the options available for the icmp command. Table 6.17. icmp Command Options
The following command allows the outside interface to respond to ping requests on the outside interface: icmp permit any echo outside To deny ICMP traffic on the outside interface, the following command is necessary: icmp deny any echo outside |