Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot ping from the inside network

Hi guys,

I have setup a pix 515e with 7.0.(6) I am unable to ping to the internet from the internal hosts. I am able to browse the internet and do DNS lookups. Also the hitcnt does not increment. It always shows up as 0

I have added the following lines to allow icmp through but this does not allow me to ping to the internet. I can ping the external interface of the pix from the internet. Is there something i am not doing right?

access-list in-to-out extended permit icmp object-group internal-lan any log

access-list out-to-in extended permit icmp any any

icmp permit any echo-reply outside

icmp permit any echo outside

icmp permit any outside

icmp permit any inside

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Cannot ping from the inside network

hello,

by default pix does not allow icmp traffic or any other traffic from lower to higher security level, you would have to explicitly allow icmp traffic to pass through the firewall

as per the nature of work for icmp you would have to allow all the below mentioned in order to be able to ping outside ip address.

try this

access-list out_to_in permit icmp any any unreachable

access-list out_to_in permit icmp any any time-exceeded

access-list out_to_in permit icmp any any echo-reply

access-list in_to_out permit icmp any any unreachable

access-list in_to_out permit icmp any any time-exceeded

access-list in_to_out permit icmp any any echo-reply

also make sure you have acl "out_to_in" and "in_to_out" applied to interfaces

access-group out_to_in in interface outside

access-group in_to_out in interface inside

HTH, please rate it

2 REPLIES
Bronze

Re: Cannot ping from the inside network

hello,

by default pix does not allow icmp traffic or any other traffic from lower to higher security level, you would have to explicitly allow icmp traffic to pass through the firewall

as per the nature of work for icmp you would have to allow all the below mentioned in order to be able to ping outside ip address.

try this

access-list out_to_in permit icmp any any unreachable

access-list out_to_in permit icmp any any time-exceeded

access-list out_to_in permit icmp any any echo-reply

access-list in_to_out permit icmp any any unreachable

access-list in_to_out permit icmp any any time-exceeded

access-list in_to_out permit icmp any any echo-reply

also make sure you have acl "out_to_in" and "in_to_out" applied to interfaces

access-group out_to_in in interface outside

access-group in_to_out in interface inside

HTH, please rate it

New Member

Re: Cannot ping from the inside network

Thanks a lot this fixed it. I had forgotten to apply the access-lists to the interface.

237
Views
0
Helpful
2
Replies