pix---ping to inside inf from dmzs ?

Answered Question
Mar 22nd, 2010
User Badges:

hi experts,


is it possible to ping the inside interface of the pix firewall from dmz or outside.. if yes, what are the configurations to be done on it..


pls help....

rajesh

Correct Answer by Jennifer Halim about 7 years 2 months ago

No, you can only ping from directly connected interface, ie: from outside, you can only ping the outside interface, from dmz, you can only ping the dmz interface, etc etc.


If you are connecting via VPN on the outside interface, you can configure "management-access inside" to be able to ping the inside interface.

However you can only configure 1 management-access line, not multiple lines. Therefore you would need to choose which interface you would like to ping when you VPN in.


Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sean_evershed Tue, 03/23/2010 - 02:43
User Badges:
  • Gold, 750 points or more

Hi,


This link will help


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic2


It states the following:

Pings Inbound


Pings initiated from the outside, or another low security interface of       the PIX, are denied be default. The pings can be allowed by the use of static       and access lists or access lists alone.

Sec IT Tue, 03/23/2010 - 03:42
User Badges:

Hi,


thanks for your reply...


my intention is to ping to the INSIDE INTERFACE from any other dmzz/outside network !!!!


pls check and let me know...

rajesh

Sec IT Tue, 03/23/2010 - 04:35
User Badges:

ethernet 0 outside -> 172.16.1.1

ethernet 2 dmz -> 192.168.1.1

ethernet 1 inside -> 10.0.0.1


icmp permit any inside

icmp permit any outside

icmp permit any dmz


access-list 101 permit ip any any

access-group 101 in interface inside

access-group 101 in interface outside

access-group 101 in interface dmz

r3linquish3d Tue, 03/23/2010 - 04:42
User Badges:

I dont know the security level of the interfaces. So set the security-level to 100 for inside and dmz interface.


security-level 100


same-security-traffic permit intra-interface


access-group 101 out interface dmz

Correct Answer
Jennifer Halim Tue, 03/23/2010 - 04:44
User Badges:
  • Cisco Employee,

No, you can only ping from directly connected interface, ie: from outside, you can only ping the outside interface, from dmz, you can only ping the dmz interface, etc etc.


If you are connecting via VPN on the outside interface, you can configure "management-access inside" to be able to ping the inside interface.

However you can only configure 1 management-access line, not multiple lines. Therefore you would need to choose which interface you would like to ping when you VPN in.


Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122


Hope that helps.

Actions

This Discussion