05-19-2007 08:12 AM - edited 03-11-2019 03:17 AM
Hi,
I have a Pix 525 firewall in my lab and i am practicing in it.I have connected two systems to inside and outside interface each.i have configured 172.25.15.1 as inside interface ip address and 172.25.30.1 as outside ip address i want the system wich is connected to inside interface should ping outside interface,i have configured the access-list as
(access-list 101 permit icmp any any)
(access-group 101 in interface outside).the inside network is nated to the outside interface but still i am not able to ping the outside interface.please can any one help me in resolving this.
05-19-2007 09:17 AM
Generally inside users wouldn't be able to ping outside interface of the PIX
Use the following access-list to solve your problem.
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
or if you are runng 7.X include Inspect ICMP.
-Hoogen
Do rate if this post helps :)
06-01-2007 04:34 AM
Hi,
I have tried this and it works but only if you add a entry to the inside interface like this
access-list InsideACL permit icmp host 10.0.0.1 any echo
otherwise 10.0.0.1 can't ping anything - is this correct ???
Thanks
Ed
06-01-2007 10:41 AM
edw, yes if you have an acl in your inside interface then you would have to allow the traffic as well.
06-01-2007 04:02 PM
Hi,
So to confirm If I have a internal machine say 10.0.0.1 and I want to ping my outside machine say 16.16.16.16.
Then to do this from the inside I would need these acls....
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
access-list InsideACL permit icmp host 10.0.0.1 any echo
access-group InsideACL in interface inside
Thanks
Ed
03-28-2008 03:19 AM
Hi,
If I allow inspect ICMP - I still have to add the above entries into the ACL for the traffic to transverse - is this correct? The Cisco ICMP doc is pretty usless as it leads you to believe that this isn't nessacery ?
Thanks
Ed
05-20-2007 01:44 AM
If you want to ping the outside interface
then you shuld write this command in configuration mode
pix(config)#icpm permit any outside
bye
06-01-2007 10:36 AM
According to cisco doc pinging an interface on the far side is not possible. IE trying to ping the outside interface from a host on the inside. With that being said I have seen the same config on 2 different firewalls and one allows it and the other doesn't.
Chad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: