unable to ping public address behind pix

Answered Question
Mar 6th, 2007

Hi all,

i am using pix 7.0. I have opened any any access for my users behind the fw, bt none is able to ping public addresses like www.yahoo.com or ip 66.45.172.7.

pls see attached show run

Attachment: 
I have this problem too.
0 votes
Correct Answer by vitripat about 9 years 9 months ago

Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

exit

Now check if you are able to ping outbound.

Regards,

Vibhor.

Correct Answer by suschoud about 9 years 9 months ago

please add the command :

access-list acl-internet extended permit icmp any any

this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.

as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.

there's are many icmp commands which you could permit individually.

for details,please check:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope this helps!!

Sushil

Cisco TAC.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
Correct Answer
suschoud Tue, 03/06/2007 - 07:41

please add the command :

access-list acl-internet extended permit icmp any any

this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.

as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.

there's are many icmp commands which you could permit individually.

for details,please check:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope this helps!!

Sushil

Cisco TAC.

Correct Answer
vitripat Tue, 03/06/2007 - 08:06

Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

exit

Now check if you are able to ping outbound.

Regards,

Vibhor.

vince-tran Tue, 03/06/2007 - 11:41

permit icmp any any echo-reply from internet( acl-internet)

and permit icmp any any echo from inside (acl-inside)

That should do it.

Actions

This Discussion