Ping outside interface of firewall from inside

Unanswered Question
Feb 12th, 2009
User Badges:


This is probably a really simple one but can you ping the outside interface of a PIX/ASA from teh inside network?

It seems to be blocked or disallowed by default, but does anyone know how to get around this.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tshi M Thu, 02/12/2009 - 04:31
User Badges:
  • Silver, 250 points or more

I doubt it is feasible.

Mo'ath Al Rawashdeh Thu, 02/12/2009 - 06:03
User Badges:
  • Bronze, 100 points or more

There are two options in PIX 7.x that allow inside users to ping outside. The first option is to setup a specific rule for each type of echo message. For example:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Another option is to configure icmp inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, all inside interfaces can ping outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall.

For example:

policy-map global_policy

class inspection_default

inspect icmp

mikedelafield Thu, 02/12/2009 - 09:04
User Badges:

I personally didn't think this was possible to be honest, but I have been asked to investigate.

I follow what you are saying on access-lists but i'm not sure on which interface to apply these to and how exactly the routing is expected to work?

Any thoughts anyone?

Mo'ath Al Rawashdeh Fri, 02/13/2009 - 00:58
User Badges:
  • Bronze, 100 points or more

Hi Mike,

You are right, its not possible. My post above allows you to ping any IP in the outside, but not the outside interface itself.



This Discussion