05-19-2007 08:12 AM - edited 03-11-2019 03:17 AM
Hi,
I have a Pix 525 firewall in my lab and i am practicing in it.I have connected two systems to inside and outside interface each.i have configured 172.25.15.1 as inside interface ip address and 172.25.30.1 as outside ip address i want the system wich is connected to inside interface should ping outside interface,i have configured the access-list as
(access-list 101 permit icmp any any)
(access-group 101 in interface outside).the inside network is nated to the outside interface but still i am not able to ping the outside interface.please can any one help me in resolving this.
05-19-2007 09:17 AM
Generally inside users wouldn't be able to ping outside interface of the PIX
Use the following access-list to solve your problem.
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
or if you are runng 7.X include Inspect ICMP.
-Hoogen
Do rate if this post helps :)
06-01-2007 04:34 AM
Hi,
I have tried this and it works but only if you add a entry to the inside interface like this
access-list InsideACL permit icmp host 10.0.0.1 any echo
otherwise 10.0.0.1 can't ping anything - is this correct ???
Thanks
Ed
06-01-2007 10:41 AM
edw, yes if you have an acl in your inside interface then you would have to allow the traffic as well.
06-01-2007 04:02 PM
Hi,
So to confirm If I have a internal machine say 10.0.0.1 and I want to ping my outside machine say 16.16.16.16.
Then to do this from the inside I would need these acls....
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
access-list InsideACL permit icmp host 10.0.0.1 any echo
access-group InsideACL in interface inside
Thanks
Ed
03-28-2008 03:19 AM
Hi,
If I allow inspect ICMP - I still have to add the above entries into the ACL for the traffic to transverse - is this correct? The Cisco ICMP doc is pretty usless as it leads you to believe that this isn't nessacery ?
Thanks
Ed
05-20-2007 01:44 AM
If you want to ping the outside interface
then you shuld write this command in configuration mode
pix(config)#icpm permit any outside
bye
06-01-2007 10:36 AM
According to cisco doc pinging an interface on the far side is not possible. IE trying to ping the outside interface from a host on the inside. With that being said I have seen the same config on 2 different firewalls and one allows it and the other doesn't.
Chad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide