Return Ping Packets blocked by Pix Firewall

Answered Question
Aug 30th, 2010

Hi Guys,

I have a rule from inside interface (security 100) to ping a server on a DMZ interface (secuirty 40). But I dont have the same rule other way around (from dmz to inside). When I do a ping the return ping packet from DMZ interface is dropped by the firewall.

Any idea why? Do I really need a rule for return ping traffic as well.

Tks

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello,

What code version you are running? With ICMP packet in each direction is

treated as a separate flow. If you have not enabled ICMP inspection (or icmp

fixup) then the firewall will drop the return icmp traffic. In that case,

you need to exclusively allow return ICMP traffic through access-lists.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note...

6a0080094e8a.shtml

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Mon, 08/30/2010 - 18:03

Hello,

What code version you are running? With ICMP packet in each direction is

treated as a separate flow. If you have not enabled ICMP inspection (or icmp

fixup) then the firewall will drop the return icmp traffic. In that case,

you need to exclusively allow return ICMP traffic through access-lists.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note...

6a0080094e8a.shtml

Hope this helps.

Regards,

NT

Actions

This Discussion