cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
455
Views
0
Helpful
2
Replies

Cannot ping from the inside network

adilmasani
Level 1
Level 1

Hi guys,

I have setup a pix 515e with 7.0.(6) I am unable to ping to the internet from the internal hosts. I am able to browse the internet and do DNS lookups. Also the hitcnt does not increment. It always shows up as 0

I have added the following lines to allow icmp through but this does not allow me to ping to the internet. I can ping the external interface of the pix from the internet. Is there something i am not doing right?

access-list in-to-out extended permit icmp object-group internal-lan any log

access-list out-to-in extended permit icmp any any

icmp permit any echo-reply outside

icmp permit any echo outside

icmp permit any outside

icmp permit any inside

1 Accepted Solution

Accepted Solutions

zulqurnain
Level 3
Level 3

hello,

by default pix does not allow icmp traffic or any other traffic from lower to higher security level, you would have to explicitly allow icmp traffic to pass through the firewall

as per the nature of work for icmp you would have to allow all the below mentioned in order to be able to ping outside ip address.

try this

access-list out_to_in permit icmp any any unreachable

access-list out_to_in permit icmp any any time-exceeded

access-list out_to_in permit icmp any any echo-reply

access-list in_to_out permit icmp any any unreachable

access-list in_to_out permit icmp any any time-exceeded

access-list in_to_out permit icmp any any echo-reply

also make sure you have acl "out_to_in" and "in_to_out" applied to interfaces

access-group out_to_in in interface outside

access-group in_to_out in interface inside

HTH, please rate it

View solution in original post

2 Replies 2

zulqurnain
Level 3
Level 3

hello,

by default pix does not allow icmp traffic or any other traffic from lower to higher security level, you would have to explicitly allow icmp traffic to pass through the firewall

as per the nature of work for icmp you would have to allow all the below mentioned in order to be able to ping outside ip address.

try this

access-list out_to_in permit icmp any any unreachable

access-list out_to_in permit icmp any any time-exceeded

access-list out_to_in permit icmp any any echo-reply

access-list in_to_out permit icmp any any unreachable

access-list in_to_out permit icmp any any time-exceeded

access-list in_to_out permit icmp any any echo-reply

also make sure you have acl "out_to_in" and "in_to_out" applied to interfaces

access-group out_to_in in interface outside

access-group in_to_out in interface inside

HTH, please rate it

Thanks a lot this fixed it. I had forgotten to apply the access-lists to the interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: