Access-group inbound statement

[Antelope]

I have two access-lists named Inbound and Outbound.

Access-list outbound permit tcp any any www

Access-list inbound permit icmp host x.x.x.x any

I also have two access-group statements:

access-group inbound in interface outside
access-group outbound in interface inside

If I take out the inbound ACL, I cannot get ping replies from that site, but why do I get traffic back from websites since I don't have something like this in my inbound ACL?

access-list inbound permit tcp any any www

Is it because tcp traffic is connection-oriented, but icmp traffic is actually intiated from the other side as well?

 

[tbissett]

Yes, that is exactly why. TCP is connection-oriented, and the PIX firewall keeps track of the connection state to allow ACK traffic back in (hence the term stateful inspection).

ICMP, on the other hand ititiates traffic from both ends. Your inside station initiates an echo-request, and the pinged host sends back an echo-reply. There is no connection between the two a la TCP

 

[martinp05]

hello,

icmp is not handled stateful of the pix (this will work in version 7). so you have to enable both directions with an acl.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator