icmp, ip

Unanswered Question
srue Thu, 08/16/2007 - 17:49

it depends on what you're talking about - as in what kind of device. with PIX/ASA you have to explicitly allow icmp. And even more specifically, in PIX/ASA, you have to allow echo and echo-reply for pings in/out. Or in 7.x, enable icmp inspection.

Jon Marshall Thu, 08/16/2007 - 17:55

Hi Steven

if you allow ip it will include icmp at least in pix v6.x. I haven't got an ASA device handy to test but i believe it's the same unless it has radically changed with v7.x.

To ping the actual interfaces of the pix/ASA you need to explicitly permit icmp.


srue Thu, 08/16/2007 - 18:50

things have changed with 7.x, pix and asa. For example, for an inside host to successfully ping an outside hose, you have to explicitly have permit icmp any any echo-reply (or something like that) to allow the reply back in. To ping from an outside host to inside, you have to 'permit icmp any any echo' on the inbound acl - and permit echo-replies for any egress acl's. you could also enable icmp inspection which will treat all icmp connections as two way - versus the default of one way (hence the extraneous acl configs).

To ping a pix/asa interface in 7.x, is enabled by default, but you can further manipulate this using the 'icmp' command.

...and don't even get me started with allowing traceroutes through the pix/asa. (:

Jon Marshall Thu, 08/16/2007 - 19:46


Thanks for this. I really need to get more time with v7.x, especially as there is now a v8.x !, most of our stuff is still running 6.x or FWSM v2.x.

Much appreciated - posting rated



This Discussion