04-04-2008 04:35 AM - edited 03-11-2019 05:27 AM
Hi,
With icmp inspection turned off and " access-list inside permit ip any any " on the inside interface (access-group inside in interface inside) and "access-list outside permit icmp any any echo" on the outside interface (access-group outside in interface outside) will i be able to successfully ping an inside host from an outside host.
And with the same above configuration will i be able to ping an outside host from inside host or will i need to add " permit icmp any any echo-reply" on the outside interface in the inbound direction for the return echo-reply to pass through the firewall.
how will the above configuration be different if icmp inspection is turned on .
Thanks,
Vikram
Solved! Go to Solution.
04-04-2008 05:33 AM
you will either need to specifically allow echo-replies, or all icmp traffic to ping from inside to outside.
you may even need to allow echo's on the inside acl. or disable that acl altogether since it's permitting ip any any, anyway.
04-26-2008 02:15 PM
Then you dont need to do that as fixup or inspect commands basically open the path for the return traffic. That's their job. These commands come in effect when their is any traffic ''through'' the firewall.' Same is the case for active FTP. If ip inspect ftp is specified you dont have to put an ACE for ftp-data. Its not required then.
Raman
04-04-2008 05:02 AM
yes you will be able to ping through..make sure you don't have outside Interface for PAT
04-04-2008 05:09 AM
thanks for the reply, but will i be able to ping from an inside host to outside host without adding "access-list outside permit icmp any any echo-reply" ??
and what config changes will i need to do if i turn on icmp inspection.
04-04-2008 05:33 AM
you will either need to specifically allow echo-replies, or all icmp traffic to ping from inside to outside.
you may even need to allow echo's on the inside acl. or disable that acl altogether since it's permitting ip any any, anyway.
04-04-2008 07:34 AM
thanks srue,
it answers my question.
04-19-2008 02:01 AM
got one more question relating to ICMP - with icmp inspection enabled , when pinging from outside host to an inside host or from inside host to outside host - is it required to explicitly permit the return icmp traffic ?
04-26-2008 02:15 PM
Then you dont need to do that as fixup or inspect commands basically open the path for the return traffic. That's their job. These commands come in effect when their is any traffic ''through'' the firewall.' Same is the case for active FTP. If ip inspect ftp is specified you dont have to put an ACE for ftp-data. Its not required then.
Raman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide