pix---ping to inside inf from dmzs ?

Answered Question
Mar 22nd, 2010

hi experts,

is it possible to ping the inside interface of the pix firewall from dmz or outside.. if yes, what are the configurations to be done on it..

pls help....

rajesh

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 10 months ago

No, you can only ping from directly connected interface, ie: from outside, you can only ping the outside interface, from dmz, you can only ping the dmz interface, etc etc.

If you are connecting via VPN on the outside interface, you can configure "management-access inside" to be able to ping the inside interface.

However you can only configure 1 management-access line, not multiple lines. Therefore you would need to choose which interface you would like to ping when you VPN in.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Sec IT Tue, 03/23/2010 - 03:42

Hi,

thanks for your reply...

my intention is to ping to the INSIDE INTERFACE from any other dmzz/outside network !!!!

pls check and let me know...

rajesh

Sec IT Tue, 03/23/2010 - 04:35

ethernet 0 outside -> 172.16.1.1

ethernet 2 dmz -> 192.168.1.1

ethernet 1 inside -> 10.0.0.1

icmp permit any inside

icmp permit any outside

icmp permit any dmz

access-list 101 permit ip any any

access-group 101 in interface inside

access-group 101 in interface outside

access-group 101 in interface dmz

r3linquish3d Tue, 03/23/2010 - 04:42

I dont know the security level of the interfaces. So set the security-level to 100 for inside and dmz interface.

security-level 100

same-security-traffic permit intra-interface

access-group 101 out interface dmz

Correct Answer
Jennifer Halim Tue, 03/23/2010 - 04:44

No, you can only ping from directly connected interface, ie: from outside, you can only ping the outside interface, from dmz, you can only ping the dmz interface, etc etc.

If you are connecting via VPN on the outside interface, you can configure "management-access inside" to be able to ping the inside interface.

However you can only configure 1 management-access line, not multiple lines. Therefore you would need to choose which interface you would like to ping when you VPN in.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122

Hope that helps.

Actions

This Discussion