Solved: Access List for ICMP traffic to server on DMZ

thomas.reiling · ‎01-29-2008

If I had a server on the DMZ with a static nat, could someone give me a rough example of what the access list line would look on the firewall AND outside router if I wanted to allow anyone from the Internet to ping it and have it reply.

m.sir · ‎01-29-2008

Generaly from Internet to DMZ you need permit ICMP echo (ping) and from DMZ to Internet you need to permit ICMP echo-reply (ping respose)

On firewall

access-list out_dmz permit icmp any host Public_IP_of_server echo

access-list dmz_out permit icmp host private_IP_of_server any echo-reply

On router it should be similar in the direction public - private echo in the direction private - public echo-reply

View solution in original post

m.sir · ‎01-29-2008

Generaly from Internet to DMZ you need permit ICMP echo (ping) and from DMZ to Internet you need to permit ICMP echo-reply (ping respose)

On firewall

access-list out_dmz permit icmp any host Public_IP_of_server echo

access-list dmz_out permit icmp host private_IP_of_server any echo-reply

On router it should be similar in the direction public - private echo in the direction private - public echo-reply

thomas.reiling · ‎01-29-2008

I'm not sure I understand the placement of the firewall access-lists since there is the outside interface and the dmz interface where the server resides. Can you explain that better? Thank you.