Case:An internal user on the Inside of the LAN initiates a ping to some address on the internet:

Question: Will the echo reply automatically be allowed or should there be an explicit ACL allowing it?

I have a pix 7.0(2).

Question 2: does the pix 7.0(2) use theadaptive security algorithm

asked 12/14/2011 06:29

Junior-Auditor's gravatar image

Junior-Auditor ♦♦

2 Answers:
As far as I have seen  , for PIXOS 6.3 and below it's well known that there is no stateful  inspection for ICMP.  Hence, the adding of the ACE for the respective return ICMP type as you have found.  ASA/PIX OS 7.x has stateful ICMP inspection.

Adaptive Security Algorithm (ASA) is the foundation on which the PIX Firewall is built. It defines how PIX examines traffic passing through it and applies various rules to it.


alienXeno's gravatar image


Q1: If you dont have any acl defined on your interfce it will be allowed by default
Q2: copied/pasted the following:

What's New in Cisco PIX Firewall 7.0
Improved Inspection Engines
Traditionally, ICMP traffic has been difficult to inspect because it is stateless—one host can send one or more ICMP messages without expecting a reply. With PIX 7.0, a firewall can emulate a stateful inspection of ICMP by applying some intuitive rules. For example, if an inside host sends an ICMP echo (ping) packet to another host, the firewall will allow only a single reply packet to return. The firewall will also immediately tear down any address translations that were created for an ICMP "session." For TCP, you can configure very specific security policies that can take action on packets with unexpected values in any of the TCP header fields.

answered 2011-12-15 at 04:24:34

CSorg's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 12/14/2011 06:29

Seen: 304 times

Last updated: 12/15/2011 08:37