Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
5
Replies

Unable to Ping

stefshuuj
Level 1
Level 1

‎01-14-2008 01:46 AM - edited ‎03-11-2019 04:47 AM

Hi All,

I'm a Cisco Newbie. We recently had a PIX 515e installed.

Since the install I can now no longer Ping from my local workstation to the outside world, nor can I perform a tracert.

I have permitted icmp from any to any and still nothing.

Any advice would be greatly appreciated.

Thanks in advance

Stephen

I can however ping the outside world from my firewall ssh session.

Labels:
0 Helpful
5 Replies 5

massimiliano.serafino
Level 4
Level 4

‎01-14-2008 02:58 AM

Hi,

Have you implemented NAT?

For information view: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html

I hope this helps.

Best regards.

Massimiliano.

0 Helpful

lrh
Level 1
Level 1

‎01-17-2008 11:21 AM

I had the same problem on ASA boxes. I solved this by enabling inspection on the ICMP & ICMP Error.

\Lars

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10

‎01-17-2008 11:50 AM

Stephen, please refer to this link to understand how ICMP and trace route is handle by PIX and ASA , configure security applience accordingly to be able to conduct icmp and trace from inside out.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Rgds

Jorge

Jorge Rodriguez
0 Helpful

stefshuuj
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎01-17-2008 03:56 PM

Thanks all. I managed to fix it by using

• access-list ping_acl permit ip any any

• access-group ping_acl in interface outside

0 Helpful

srue
Level 7
Level 7
In response to stefshuuj

‎01-17-2008 04:31 PM

"permit ip any any" negates your firewall entirely. you may have 'fixed' icmp, but you 'broke' your firewall. Please read the aforementioned links immediately to remedy this.

If you told us what version OS you have we might be able to suggest something specific.

You could also delete your current ACL and just allow "icmp any any echo-reply"

In addition to gorge's link, also read this one on traceroute: http://www.cisco.com/warp/public/105/traceroute.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card