Cannot ping from the inside network

Answered Question
Apr 16th, 2007

Hi guys,

I have setup a pix 515e with 7.0.(6) I am unable to ping to the internet from the internal hosts. I am able to browse the internet and do DNS lookups. Also the hitcnt does not increment. It always shows up as 0

I have added the following lines to allow icmp through but this does not allow me to ping to the internet. I can ping the external interface of the pix from the internet. Is there something i am not doing right?

access-list in-to-out extended permit icmp object-group internal-lan any log

access-list out-to-in extended permit icmp any any

icmp permit any echo-reply outside

icmp permit any echo outside

icmp permit any outside

icmp permit any inside

I have this problem too.
0 votes
Correct Answer by zulqurnain about 9 years 9 months ago

hello,

by default pix does not allow icmp traffic or any other traffic from lower to higher security level, you would have to explicitly allow icmp traffic to pass through the firewall

as per the nature of work for icmp you would have to allow all the below mentioned in order to be able to ping outside ip address.

try this

access-list out_to_in permit icmp any any unreachable

access-list out_to_in permit icmp any any time-exceeded

access-list out_to_in permit icmp any any echo-reply

access-list in_to_out permit icmp any any unreachable

access-list in_to_out permit icmp any any time-exceeded

access-list in_to_out permit icmp any any echo-reply

also make sure you have acl "out_to_in" and "in_to_out" applied to interfaces

access-group out_to_in in interface outside

access-group in_to_out in interface inside

HTH, please rate it

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
zulqurnain Mon, 04/16/2007 - 21:45

hello,

by default pix does not allow icmp traffic or any other traffic from lower to higher security level, you would have to explicitly allow icmp traffic to pass through the firewall

as per the nature of work for icmp you would have to allow all the below mentioned in order to be able to ping outside ip address.

try this

access-list out_to_in permit icmp any any unreachable

access-list out_to_in permit icmp any any time-exceeded

access-list out_to_in permit icmp any any echo-reply

access-list in_to_out permit icmp any any unreachable

access-list in_to_out permit icmp any any time-exceeded

access-list in_to_out permit icmp any any echo-reply

also make sure you have acl "out_to_in" and "in_to_out" applied to interfaces

access-group out_to_in in interface outside

access-group in_to_out in interface inside

HTH, please rate it

adilmasani Tue, 04/17/2007 - 15:49

Thanks a lot this fixed it. I had forgotten to apply the access-lists to the interface.

Actions

This Discussion