cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
394
Views
0
Helpful
7
Replies

Allowing ICMP

udayashankarsg
Level 1
Level 1

Hi,

I have a Pix 525 firewall in my lab and i am practicing in it.I have connected two systems to inside and outside interface each.i have configured 172.25.15.1 as inside interface ip address and 172.25.30.1 as outside ip address i want the system wich is connected to inside interface should ping outside interface,i have configured the access-list as

(access-list 101 permit icmp any any)

(access-group 101 in interface outside).the inside network is nated to the outside interface but still i am not able to ping the outside interface.please can any one help me in resolving this.

7 Replies 7

hoogen_82
Level 4
Level 4

Generally inside users wouldn't be able to ping outside interface of the PIX

Use the following access-list to solve your problem.

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

or if you are runng 7.X include Inspect ICMP.

-Hoogen

Do rate if this post helps :)

Hi,

I have tried this and it works but only if you add a entry to the inside interface like this

access-list InsideACL permit icmp host 10.0.0.1 any echo

otherwise 10.0.0.1 can't ping anything - is this correct ???

Thanks

Ed

edw, yes if you have an acl in your inside interface then you would have to allow the traffic as well.

Hi,

So to confirm If I have a internal machine say 10.0.0.1 and I want to ping my outside machine say 16.16.16.16.

Then to do this from the inside I would need these acls....

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

access-list InsideACL permit icmp host 10.0.0.1 any echo

access-group InsideACL in interface inside

Thanks

Ed

Hi,

If I allow inspect ICMP - I still have to add the above entries into the ACL for the traffic to transverse - is this correct? The Cisco ICMP doc is pretty usless as it leads you to believe that this isn't nessacery ?

Thanks

Ed

emad.silicon
Level 1
Level 1

If you want to ping the outside interface

then you shuld write this command in configuration mode

pix(config)#icpm permit any outside

bye

According to cisco doc pinging an interface on the far side is not possible. IE trying to ping the outside interface from a host on the inside. With that being said I have seen the same config on 2 different firewalls and one allows it and the other doesn't.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

Chad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: