cisco pix 515 outside ping to internal hosts

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hi,

can this be done. I have cisco pix 515e and would like to ping internal
hosts for monitoring purposes.
i have no trouble pinging the outside real IP. just don't know how to
accomplish pinging the inside IP. i would like to ping my mail server
inside for monitoring purposes. i would like to restrict ping from a
certain host. the mail server inside is 192.168.100.50
inside hosts have no problems pinging outside.

any help will be appreciated!


ip address outside x.x.x.111 255.255.255.240
ip address inside 192.168.100.1 255.255.255.0

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any
access-list 100 permit tcp any host x.x.x.112 eq www
access-list 100 permit tcp any host x.x.x.112 eq 25
access-list 100 permit tcp any host x.x.x.112 eq 1001
access-list 100 permit tcp any host x.x.x.112 eq 1002
access-group 100 in interface outside


static (inside,outside) tcp x.x.x.112 1001 192.168.100.48 8080 netmask
255.255.255.255 0 0
static (inside,outside) tcp x.x.x.112 1002 192.168.100.49 8080 netmask
255.255.255.255 0 0
static (inside,outside) tcp x.x.x.112 www 192.168.100.50 www netmask
255.255.255.255 0 0
static (inside,outside) tcp x.x.x.112 25 192.168.100.50 25 netmask
255.255.255.255 0 0

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

google@pilotsupplies.com wrote:
> can this be done. I have cisco pix 515e and would like to ping internal
> hosts for monitoring purposes.

This is not a good idea. Perhaps you could better monitor over a secure
connection (like SSH, SSL, TLS, etc.), not with ICMP echo.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

thanx for the reply. my apps needs ping, unfortunately.
i do not think this will work, but i could be wrong.. so when i ping
x.x.x.112 how does the pix determine which internal hosts i am
pinging??


> static (inside,outside) tcp x.x.x.112 1001 192.168.100.48 8080 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp x.x.x.112 1002 192.168.100.49 8080 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp x.x.x.112 www 192.168.100.50 www netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp x.x.x.112 25 192.168.100.50 25 netmask

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

google@pilotsupplies.com wrote:
> thanx for the reply. my apps needs ping, unfortunately.

Then you'll need some VPN.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <1126758400.061878.70570@g47g2000cwa.googlegroups.com>,
<google@pilotsupplies.com> wrote:
:can this be done. I have cisco pix 515e and would like to ping internal
:hosts for monitoring purposes.
:i have no trouble pinging the outside real IP. just don't know how to
:accomplish pinging the inside IP. i would like to ping my mail server
:inside for monitoring purposes. i would like to restrict ping from a
:certain host. the mail server inside is 192.168.100.50
:inside hosts have no problems pinging outside.

:access-list 100 permit icmp any any echo-reply
:access-list 100 permit icmp any any time-exceeded
:access-list 100 permit icmp any any

The third line is a superset of the first two, so the first two are
not needed in that configuration. On the other hand, you don't really
want to permit in all icmp, as people are actively using
icmp network redirects in order to try to steal banking information .

To allow in ping specifically, I suggest

access-list 100 permit icmp any host x.x.x.112 echo

:access-group 100 in interface outside

:static (inside,outside) tcp x.x.x.112 1001 192.168.100.48 8080 netmask 255.255.255.255 0 0

In order to get the icmp through to the host, you will have to forward
the entire IP, not just individual ports.

if you have PIX 6.3 then you could try using "policy static".
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers