Access List for ICMP traffic to server on DMZ

Answered Question
Jan 29th, 2008

If I had a server on the DMZ with a static nat, could someone give me a rough example of what the access list line would look on the firewall AND outside router if I wanted to allow anyone from the Internet to ping it and have it reply.

I have this problem too.
0 votes
Correct Answer by m.sir about 8 years 10 months ago

Generaly from Internet to DMZ you need permit ICMP echo (ping) and from DMZ to Internet you need to permit ICMP echo-reply (ping respose)

On firewall

access-list out_dmz permit icmp any host Public_IP_of_server echo

access-list dmz_out permit icmp host private_IP_of_server any echo-reply

On router it should be similar in the direction public - private echo in the direction private - public echo-reply

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
m.sir Tue, 01/29/2008 - 07:46

Generaly from Internet to DMZ you need permit ICMP echo (ping) and from DMZ to Internet you need to permit ICMP echo-reply (ping respose)

On firewall

access-list out_dmz permit icmp any host Public_IP_of_server echo

access-list dmz_out permit icmp host private_IP_of_server any echo-reply

On router it should be similar in the direction public - private echo in the direction private - public echo-reply

thomas.reiling Tue, 01/29/2008 - 12:37

I'm not sure I understand the placement of the firewall access-lists since there is the outside interface and the dmz interface where the server resides. Can you explain that better? Thank you.

Actions

This Discussion