PIX ACL question on ICMP

[mjoyner]

If I use this ACL:

access-list ping permit icmp any any unreachable
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any time-exceeded
access-list ping permit icmp any any source-quench
access-list ping permit ip any any
access-list ping permit tcp any any
access-group ping in interface outside
access-group ping in interface inside
access-group ping in interface lan

Would I be opening up TCP and IP "any/any" for all services or just the ICMP?

[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal

OH YEAH!

 

[kbing]

yes..for all services. see cisco's website to understand how ACL's work. You may as well remove the firewall from the network with this ACL.

 

[burtsbees]

Ha ha---that was one of my configs. I never meant for anyone to use that---it was a lab for CCSP, and I was troubleshooting connectivity issues---I was unable to ping the inside interface from outside, and unable to ping the outside interface from the inside. As soon as I globally natted to the outside interface, all was well. Before that, I was still able to ping the inside interface from the inside LAN and the outside interface from the outside LAN, andI was also able to ping everything from the PIX. I had six routers in this lab also.

Kbing---don't forget that this is a PIX, and CBAC is enabled by default. This does negate any acl filtering and thus CBAC, however...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[mjoyner]

Hey BURT:

Yeah, I posted that it was a lab setup and I was personalizing it. I was yours. I needed a brew of ICMP message types and wanted to adopt yours.

I am still trying to figure out your "nonat", what that does.

[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal

OH YEAH!

 

[burtsbees]

access-list ping permit icmp any any

should be all you need, but 6.3 code is hosed.

nonat is traffic that is not natted back in, exempt from nat.

One does that for remote access and site to site vpn's, because as the packets get encapsulated, they need to retain the original IP when the get encrypted...this is one way to make IPSEC vpn's jive with NAT.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[kbing]

burtsbees: Thank goodness that wasn't for production. ;-) Open ACL's are security risk regardless of CBAC or any other process.

 

[mjoyner]

got it Burt, youz made sense!

[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal

OH YEAH!