Irene,
You need to change your rule to allow for the return
ICMP. Your ping or traceroute goes out and when
the reply comes back, it get's dropped. You should see
this in your logs.
If your going to do this with rules, then uncheck the
policy properties Accept ICMP(but wait until you fix
this isse.)
Be aware, that if you take my advice above, there are
other ICMP return codes that you're going to watch out
for - one's you'll probably need.
See http://www.phoneboy.com/fw1/faq/0066.html,
http://www.phoneboy.com/fw1/faq/0230.html,
or better yet, just go to www.phoneboy.com and look
up ICMP.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Irene Cai <[EMAIL PROTECTED]> 8/21/00 3:03:44 PM >>>
>
>Hi,
>
> Currently I have problem to set up the ICMP protocol in my firewall
>policy set. I set up the properties for ACCEPT ICMP under security policy
>for "before last", then I setup another rule for NO Internal Network Any
>ICMP-Protol Drop. However after I pushed the policy, the Internal Network
>can't run ICMP related command, such as PING or TRACEROUTE. If I remove that
>No internal network drop for the ICMP, I can run the ICMP related command,
>unfortunately everybody in the internet can run the ICMP related command as
>well. Any suggestion will be great appreciated!
>
>Thanks,
>
>Irene
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
