Unable to Ping from an Inside Host to DMZ Webservers

Unanswered Question
Jan 8th, 2008

icmp deny any outside

icmp permit any inside

icmp permit any dmz

The above statements are configured on my PIX

is there anything else I need to enable Ping from my PC to a web server on the DMZ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Tue, 01/08/2008 - 19:51

The "icmp" commands only affect traffic TO the PIX itself, not THROUGH it. By default the PIX will only open holes for return traffic for TCP/UDP based traffic, not ICMP. To get it to allow your return ICMP packets back in you have to turn on ICMP inspection. Use the:

inspect icmp

inspect icmp error

under your global service-policy.


This Discussion