"authorization exec" on PIX/ASA

Similar Messages

• Automatic jump to privilege level 15 in PIX/ASA

  Hi, with IOS router and switch I'm able to authorize the user to jump automatically to the correct privilege level in login phase, as configured in authorization privilege field in ACS.
  With PIX/ASA the jump does not run: why ?
  thank you in advance
  RS

  I have to disagree here.
  It's not a security feature. The privilege level feature was never properly implemented in the PIX/ASA. You may call it a bug
  I would have been a security feature if it would be implemented on all privilege levels besides level 15, so that users were prevented from going directly to priv. exec mode. But on the ASA/PIX, it does not work for any level (as the feature was not implemented).
  Regards
  Farrukh

• TACACS config for PIX & ASA

  I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

  I am actually looking for a similar command which I used on the Cisco 2950/3750
  aaa new-model
  aaa authentication login default group tacacs+ enable local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..

• AAA problems PIX/ASA

  Hello
  I have a problem with authentication on my network. Here I have support level 2 and level 3.
  Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
  I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
  My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
  the only firewalls on my line is this Authorization below
  Authorization TACACS + aaa command LOCAL
  I have to configure anything else?
  I can not create command line only for Firewalls.
  I'm missing something? something missing?
  my firewall and IOS versions:
  Pix: 6.3
  ASA 6x, 7x, 8x
  thanks for help
  Digite um texto ou endereço de um site ou traduza um documento.
  Cancelar
  Ouvir
  Ler foneticamente
  Tradução do português para inglês

  My problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
  There is a way to create separate privileges between switches and firewalls?
  output of routers and firewalls. Switches and routera are the same
  switches
  aaa authentication login ACS-AUTH group ACS-TACACS local
  aaa authorization config-commands
  aaa authorization exec ACS-AUTH group ACS-TACACS local
  aaa authorization commands 15 default group ACS-TACACS local
  aaa accounting exec default start-stop group ACS-TACACS
  aaa accounting commands 15 default start-stop group ACS-TACACS
  firewalls
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (transit) host x.x.x.x
  aaa-server RADIUS protocol radius
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa accounting enable console TACACS+
  aaa accounting ssh console TACACS+
  aaa accounting command privilege 15 TACACS+

• Using ACS with PIX/ASA

  Hi there,
  We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
  We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
  Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
  aaa-server XXXXX protocol tacacs+
  accounting-mode simultaneous
  reactivation-mode depletion deadtime 1
  max-failed-attempts 1
  aaa-server XXXXX inside host <SERVER>
  key <SECRET>
  timeout 5
  aaa authentication telnet console XXXXX LOCAL
  aaa authentication enable console XXXXX LOCAL
  aaa authentication ssh console XXXXX LOCAL
  aaa authentication http console XXXXX LOCAL
  aaa authentication serial console XXXXX LOCAL
  aaa accounting command XXXXX
  aaa accounting telnet console XXXXX
  aaa accounting ssh console XXXXX
  aaa accounting enable console XXXXX
  aaa accounting serial console XXXXX
  aaa authorization command XXXXX LOCAL
  Problems:
  Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
  Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
  PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.
  1st Attempt = Server 1
  2nd Attempt = Server 2
  3rd Attempt = Server 3
  4th Attempt = Server 4
  This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
  With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
  “WARNING: Fallback authentication is configured, but reactivation mode is set to
  timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
  mechanism.”
  The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".
  The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
  As RSA SecurID token can only be used once this fails and locks the account.
  Any ideas on how to make two of Ciscos leading security products work together better?

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• Aaa authorization commands for pix 535

  Hi ,
  Can you provide aaa authorization commands for pix 535
  Sanjay Nalawade.

  Hi,
  Please find the AAA config for PIX.
  aaa-server TACACS+ protocol tacacs+
  max-failed-attempts 5
  aaa-server TACACS+ (ExranetFW-In) host
  timeout 5
  key ********
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authorization command LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa authorization exec authentication-server
  Karuppuchamy

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• What happened to PDF document 22040 – "PIX/ASA: Monitor and Troubleshoot Performance Issues"?

  Hi, does anyone knows what was happened to the following PDF notes in Cisco? The PDF file is only contains 1 page compared to the original notes in html format which is about a few pages.
  If there is alternative link for this document, please let me know. Thanks.
  Document ID: 22040
  PIX/ASA: Monitor and Troubleshoot Performance Issues
  http://www.cisco.com/image/gif/paws/22040/pixperformance.pdf <PDF Notes, but 1 page only?>
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml  < HTML Notes>

  Hi experts / marcin
  can anyone of you let me know about my question related to vpn ?
  Jayesh

• Pix/Asa OSPF passive interface

  Hi.
  I am going to have an OSPF process for two internal interfaces. But I also have one external interface where I do not want any OSPF traffic going out. I have not so far found any OSPF PASSIVE INTERFACE type of commands om PIX/ASA. Is there any one out there who knows if there is one command like that or how one can stop OSPF packet from going out. I presume that an outgoing access-list will not stop this traffic.
  Regards Bjorn

  Hi,
  Don't define external interface as partecipating to OSPF process.
  That is you have to define the two interface partecipating to OSPF process:
  view: "Enabling OSPF ". Here is the link:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ip.html#wp1041629.
  I hope this helps.
  Best regards.
  Massimiliano.

• CiscoWorks LMS cannot add PIX/ASA in software repository

  Hi,
  I can see that LMS in RME Software Management cannot add PIX/ASA software saying not supported.
  Any configuration issues.
  I have got another problem. CiscoWorks LMS need to download IOS on cisco router, the process fails in RME Software Mgt. But the LMS is nated when it goes through the router.
  i guess the script does not know the natted ip when running it on the router. If there is a way that I can specify the natted IP of the LMS. Fortunately, it is a nated static IP.
  Thanks,
  Ashley

  Hi Joseph,
  It is working fine. My mistake, issue with TFTP source interface.
  However, I had got a small issue.
  I have got a cisco router which RME accesses with ip natted ip, which you have indicated and It is working fine with RME. RME can manage the router perfectly.
  However, DFM is leaving this router in questioned mode. So, the SNMP Credentials must be ok since it is good with RME.
  Do I have to specify the Natted DFM ip as well for this router? Or something else must be done.

• Converting PIX/ASA logs into CSV

  I work as a network forensics analyst for a gov't agency. We are getting large amounts of PIX and ASA logs being pushed to our Syslog server. I'm trying to create a script to parse/convert the standard PIX/ASA logs into CSV files in order to assist with integration to other products. Has anyone had success with this, or have a perl / shell script(awk grep, etc) written for this task?  I would like to capture as much data as possible.

  What syslog server are you using? The free kiwi syslog has an option to spin a new file based on the time or day to a text file automatically which can be archived later. Seems like kiwi can export in .csv format. http://www.kiwisyslog.com/help/syslogwebaccess/index.html?export_to_csv.htm
  -KS

• AAA authorization exec explanation please....thank you

  If I have this:
  aaa authentication login default grouptacacs+ local line none
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local none
  username localadmin password 7 xxxxxxxxxxxx
  enable secret 5 xxxxxxxxxxxxxxxx
  And all tacacs+ servers are unreachable.
  Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?
  If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?
  If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?
  Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?
  Thanks
  Gene

  Gene
  I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:
  aaa authorization exec default group tacacs+ if-authenticated
  and find that it works well - whether the TACACS server is available or not.
  HTH
  Rick

• Enabling aaa authorization on pix/asa

  I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?

  Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.
  EDIT:
  Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.
  Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that?

• PIX/ASA Failover conditions

  I have a asa cluster in active/standby mode with lan cable connected for stateful failover. I want to know about the condtions when the box fails over to the other. One parameter should be the hello timers going between the failover interfaces.
  Does this failover happen when the inside or outside interface of the primary asa goes down.

  What type of Firewall is it? What version.
  For PIX 7.2 for example I would look at the configuration guide
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html
  In particular look at the section entitled "Failover Actions" for active/standby. These is a nice table of failover conditions there.
  Similar for otehr PIX/FWSM/ASA

• PIX/ASA not able to reach DMZ

  Hi everyone ,
  I am able to ping from outside to inside all ips , but there is no communication from inside and outside to DMZ .
  I did debug icmp trace 255 and it gives below debug , anyone can guide me if i am doing any mistake here in config .
  pixfirewall(config)# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=0 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=1 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=2 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=3 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=4 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  DMZ>sh ip int br
  Interface                  IP-Address      OK? Method Status                Protocol
  Ethernet0/0                192.168.0.1     YES manual up                    up 
  Ethernet0/1                unassigned      YES unset  administratively down down
  Ethernet0/2                unassigned      YES unset  administratively down down
  Ethernet0/3                unassigned      YES unset  administratively down down
  FastEthernet1/0            20.1.1.2        YES NVRAM  administratively down down
  Loopback0                  192.168.10.10   YES manual up                    up 
  Loopback1                  4.4.4.4         YES NVRAM  up                    up 
  DMZ>
  INSIDE-RTR>sh ip int br
  Interface                  IP-Address      OK? Method Status                Protocol
  Ethernet0/0                10.10.254.2     YES NVRAM  up                    up 
  Ethernet0/1                unassigned      YES NVRAM  administratively down down
  Ethernet0/2                unassigned      YES NVRAM  administratively down down
  Ethernet0/3                unassigned      YES NVRAM  administratively down down
  Loopback0                  10.14.8.50      YES NVRAM  up                    up 
  Loopback1                  10.10.10.10     YES manual up                    up 
  INSIDE-RTR>
  OUTSIDE>sh ip int br
  Interface                  IP-Address      OK? Method Status                Protocol
  Ethernet0/0                unassigned      YES TFTP   administratively down down
  Ethernet0/1                131.1.23.1      YES NVRAM  up                    up 
  Ethernet0/2                unassigned      YES NVRAM  administratively down down
  Ethernet0/3                unassigned      YES NVRAM  administratively down down
  Loopback0                  5.5.5.5         YES manual up                    up 
  Loopback1                  1.1.1.1         YES NVRAM  up                    up 
  OUTSIDE>
  pixfirewall# sh run
  : Saved
  PIX Version 7.2(4)
  hostname pixfirewall
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0
  speed 100
  duplex full
  nameif INSIDE
  security-level 100
  ip address 10.10.254.1 255.255.255.0
  interface Ethernet1
  speed 100
  duplex full
  nameif OUTSIDE
  security-level 0
  ip address 131.1.23.2 255.255.255.0
  interface Ethernet2
  speed 100
  duplex full
  shutdown
  no nameif
  security-level 50
  no ip address
  interface Ethernet3
  speed 100
  duplex full
  nameif DMZ
  security-level 50
  ip address 192.168.0.2 255.255.255.0
  interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  same-security-traffic permit intra-interface
  access-list 101 extended permit ip any any log
  access-list ACL-BW extended permit ip any any
  access-list DMZtoINSIDE extended permit ip any any log
  pager lines 24
  logging buffered debugging
  mtu INSIDE 1500
  mtu OUTSIDE 1500
  mtu DMZ 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (OUTSIDE) 1 131.1.23.12-131.1.23.254
  nat (INSIDE) 1 10.0.0.0 255.0.0.0
  static (INSIDE,OUTSIDE) 131.1.23.11 10.14.8.50 netmask 255.255.255.255
  static (INSIDE,DMZ) 192.168.11.11 10.10.10.10 netmask 255.255.255.255
  static (DMZ,OUTSIDE) 131.1.23.10 192.168.10.10 netmask 255.255.255.255
  access-group 101 in interface OUTSIDE
  access-group DMZtoINSIDE in interface DMZ
  route INSIDE 10.14.8.0 255.255.255.0 10.10.254.2 1
  route INSIDE 10.10.10.0 255.255.255.0 10.10.254.2 1
  route OUTSIDE 0.0.0.0 0.0.0.0 131.1.23.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  priority-queue OUTSIDE
  class-map CLASS-BW
  match access-list ACL-BW
  class-map bw-limit1
  policy-map POLICY-BW
  class CLASS-BW
    police output 8000 1000 conform-action drop
  service-policy POLICY-BW interface OUTSIDE
  prompt hostname context
  Cryptochecksum:2544d2c2a04267b55ac2ae90ba42d40f
  : end
  =====================
  thanks 4 reply

  Hi Julio ,
  Thanks 4 your reply .
  Here are the outputs u asked me -
  1-Can you ping 131.1.23.1 from the ASA ----yes pinging
  pixfirewall# ping 131.1.23.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
  ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
  !ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=36579 len=72
  ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
  2-Can you ping 192.168.10.10 from the ASA. ---not reachable
  pixfirewall# ping 192.168.10.10
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
  ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
  Success rate is 0 percent (0/5)
  pixfirewall#
  I have applied all below captures ----->>
  access-list capout permit icmp 131.1.23.1 255.255.255.255  host 131.1.23.10
  access-list capout permit icmp host 131.1.23.10 131.1.23.1 255.255.255.255
  access-list capdmz permit icmp host 131.1.23.1 host 192.168.10.10
  access-list capdmz permit icmp host 192.168.10.10 host 131.1.23.1
  capture capdmz access-list capdmz interface dmz
  capture capout access-list capout interface outside
  pixfirewall# clear access-list capout counters
  pixfirewall#
  pixfirewall# clear access-list capdmz counters
  pixfirewall#
  pixfirewall# clear access-list 101 counters
  pixfirewall#
  pixfirewall# clear access-list DMZtoINSIDE counters
  pixfirewall#
  ---then ---->
  OUTSIDE#ping 131.1.23.10
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 131.1.23.10, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  OUTSIDE#
  pixfirewall# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=0 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=1 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=2 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=3 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=4 len=72
  ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
  pixfirewall#
  pixfirewall# ping 192.168.10.10
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
  ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
  ?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
  Success rate is 0 percent (0/5)
  pixfirewall#
  pixfirewall#
  pixfirewall# ping 131.1.23.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
  ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
  !ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
  !ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
  ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
  ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
  ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
  !ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
  !ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
  ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
  Success rate is 100 percent (5/5), round-trip min/avg/max = 10/50/90 ms
  pixfirewall# ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
  pixfirewall#
  pixfirewall#
  pixfirewall# sh access-list
  access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
              alert-interval 300
  access-list 101; 1 elements
  access-list 101 line 1 extended permit ip any any log informational interval 300 (hitcnt=1) 0x28676dfa
  access-list ACL-BW; 1 elements
  access-list ACL-BW line 1 extended permit ip any any (hitcnt=156) 0xfa95bcad
  access-list DMZtoINSIDE; 1 elements
  access-list DMZtoINSIDE line 1 extended permit ip any any log informational interval 300 (hitcnt=0) 0xf5a55e4b
  access-list capout; 2 elements
  access-list capout line 1 extended permit icmp host 131.1.23.1 host 131.1.23.10 (hitcnt=5) 0xfb220e61
  access-list capout line 2 extended permit icmp host 131.1.23.10 host 131.1.23.1 (hitcnt=0) 0xda226f3d
  access-list capdmz; 2 elements
  access-list capdmz line 1 extended permit icmp host 131.1.23.1 host 192.168.10.10 (hitcnt=0) 0xa133807b
  access-list capdmz line 2 extended permit icmp host 192.168.10.10 host 131.1.23.1 (hitcnt=0) 0x99b84706
  pixfirewall#
  ==================
  Thanks 4 your reply again