Access List for ICMP traffic to server on DMZ

Answered Question
Jan 29th, 2008
User Badges:

If I had a server on the DMZ with a static nat, could someone give me a rough example of what the access list line would look on the firewall AND outside router if I wanted to allow anyone from the Internet to ping it and have it reply.

Correct Answer by m.sir about 9 years 2 months ago

Generaly from Internet to DMZ you need permit ICMP echo (ping) and from DMZ to Internet you need to permit ICMP echo-reply (ping respose)

On firewall

access-list out_dmz permit icmp any host Public_IP_of_server echo


access-list dmz_out permit icmp host private_IP_of_server any echo-reply


On router it should be similar in the direction public - private echo in the direction private - public echo-reply



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
m.sir Tue, 01/29/2008 - 07:46
User Badges:
  • Gold, 750 points or more

Generaly from Internet to DMZ you need permit ICMP echo (ping) and from DMZ to Internet you need to permit ICMP echo-reply (ping respose)

On firewall

access-list out_dmz permit icmp any host Public_IP_of_server echo


access-list dmz_out permit icmp host private_IP_of_server any echo-reply


On router it should be similar in the direction public - private echo in the direction private - public echo-reply



thomas.reiling Tue, 01/29/2008 - 12:37
User Badges:

I'm not sure I understand the placement of the firewall access-lists since there is the outside interface and the dmz interface where the server resides. Can you explain that better? Thank you.

Actions

This Discussion