Use GNS3 to perform the PIX Firewall ICMP Experiment

Basic interfaces and default routes for R1 and R2 configuration!

PIX Configuration:

 

Pixfirewall> en

Password: Press enter.

Pixfirewall #

Pixfirewall # conf t

Pixfirewall (config) # hostname PIX

PIX (config) # int e0

PIX (config-if) # ip address 220.171.1.2 255.255.255.0

PIX (config-if) # security-level 0 external interface, security level 0

PIX (config-if) # nameif outside external interface Name

PIX (config-if) # no sh

PIX (config-if) # int e1

PIX (config-if) # ip ad 10.0.1.1 255.255.255.0

PIX (config-if) # security-level 100 internal interface, security level 100

PIX (config-if) # nameif inside

PIX (config-if) # no sh

By default, internal devices can ping internal interfaces. Likewise, external devices can also ping external interfaces!

 

 

Now, the firewall's internal and external interfaces are rejected!

PIX

 

PIX (config) # icmp deny 0 0 outside or icmp deny any outside

PIX (config) # icmp deny 0 0 inside or icmp deny any inside

Ping again and the result is as follows:

 

 

 

We can see that ping is unavailable!

You can also use the following command to reject the command:

 

PIX (config) # icmp deny 0 0 echo outside/prevent external host from sending the echo packet

PIX (config) # icmp deny 0 0 echo inside/prevent internal host from sending echo packets

The same effect! When the PING command is used, an echo packet is sent to allow the target network to respond to check whether the network is smooth and fast! It is also called echo data, which is generally used to determine that the connection is normal!

------------------------------------------------------------------------

Next we will do the following: icmp traversal pix Experiment

PIX

 

 

PIX (config) # access-list k1 permit icmp any internal traffic filtering, allowing any internal traffic (at this moment, the ICMP packet can be outbound but cannot be returned, and the route can be returned after configuration)

PIX (config) # access-group k1 in interface outside allow the traffic specified by k1 on the outside interface

 

PIX (config) # nat (inside) 1 0 0

PIX (config) # global (outside) 1 interface use the outside interface IP address to implement port address translation

INFO: outside interface address added to PAT pool

 

PIX (config) # route inside 10.0.2.0 route 255.255.0 10.0.1.2/route to the internal network, Next Hop 10.0.1.2, otherwise the pix does not know how to return data packets

Note: The Source Address is converted by the outside interface address when the tag nat1 is sent from inside. The source address of the ping packet from the inside out will also be replaced, but the ping packet will be blocked by the outside interface when it comes back.

We can see that ping from the inside out is the same! Of course, you can also ping the PIX interface! If so

PIX (config) # global (outside) 1 220.171.1.3-220.171.1.3 255.255.255.0

PIX (config) # nat (inside) 1 10.1.1.0 255.255.255.0

Only the IP address pool or PAT can be used for the network traffic of the internal PC 10.1.1.0/24.