Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing ICMP

Hi,

I have a Pix 525 firewall in my lab and i am practicing in it.I have connected two systems to inside and outside interface each.i have configured 172.25.15.1 as inside interface ip address and 172.25.30.1 as outside ip address i want the system wich is connected to inside interface should ping outside interface,i have configured the access-list as

(access-list 101 permit icmp any any)

(access-group 101 in interface outside).the inside network is nated to the outside interface but still i am not able to ping the outside interface.please can any one help me in resolving this.

7 REPLIES
Silver

Re: Allowing ICMP

Generally inside users wouldn't be able to ping outside interface of the PIX

Use the following access-list to solve your problem.

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

or if you are runng 7.X include Inspect ICMP.

-Hoogen

Do rate if this post helps :)

edw
New Member

Re: Allowing ICMP

Hi,

I have tried this and it works but only if you add a entry to the inside interface like this

access-list InsideACL permit icmp host 10.0.0.1 any echo

otherwise 10.0.0.1 can't ping anything - is this correct ???

Thanks

Ed

Green

Re: Allowing ICMP

edw, yes if you have an acl in your inside interface then you would have to allow the traffic as well.

edw
New Member

Re: Allowing ICMP

Hi,

So to confirm If I have a internal machine say 10.0.0.1 and I want to ping my outside machine say 16.16.16.16.

Then to do this from the inside I would need these acls....

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

access-list InsideACL permit icmp host 10.0.0.1 any echo

access-group InsideACL in interface inside

Thanks

Ed

edw
New Member

Re: Allowing ICMP

Hi,

If I allow inspect ICMP - I still have to add the above entries into the ACL for the traffic to transverse - is this correct? The Cisco ICMP doc is pretty usless as it leads you to believe that this isn't nessacery ?

Thanks

Ed

New Member

Re: Allowing ICMP

If you want to ping the outside interface

then you shuld write this command in configuration mode

pix(config)#icpm permit any outside

bye

Silver

Re: Allowing ICMP

According to cisco doc pinging an interface on the far side is not possible. IE trying to ping the outside interface from a host on the inside. With that being said I have seen the same config on 2 different firewalls and one allows it and the other doesn't.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

Chad

144
Views
0
Helpful
7
Replies
CreatePlease to create content