Return Ping Packets blocked by Pix Firewall

Answered Question
Aug 30th, 2010
User Badges:

Hi Guys,


I have a rule from inside interface (security 100) to ping a server on a DMZ interface (secuirty 40). But I dont have the same rule other way around (from dmz to inside). When I do a ping the return ping packet from DMZ interface is dropped by the firewall.


Any idea why? Do I really need a rule for return ping traffic as well.


Tks

Correct Answer by Nagaraja Thanthry about 6 years 8 months ago

Hello,


What code version you are running? With ICMP packet in each direction is

treated as a separate flow. If you have not enabled ICMP inspection (or icmp

fixup) then the firewall will drop the return icmp traffic. In that case,

you need to exclusively allow return ICMP traffic through access-lists.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note...

6a0080094e8a.shtml


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Mon, 08/30/2010 - 18:03
User Badges:
  • Cisco Employee,

Hello,


What code version you are running? With ICMP packet in each direction is

treated as a separate flow. If you have not enabled ICMP inspection (or icmp

fixup) then the firewall will drop the return icmp traffic. In that case,

you need to exclusively allow return ICMP traffic through access-lists.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note...

6a0080094e8a.shtml


Hope this helps.


Regards,


NT

Actions

This Discussion