Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cannot ping server behind PIX?!

I have a Web/DNS server behind a PIX firewall. I cannot ping it. What access-list do I need to allow ping traffic through? Or is it even nessesary to allow pings, could that be a security risk for things such as DOS?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cannot ping server behind PIX?!

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing

policy-map global_policy

class inspection_default

no inspect icmp

5 REPLIES

Re: Cannot ping server behind PIX?!

Hi Austin

Try this

policy-map global_policy

class inspection_default

inspect icmp

You better leave icmp enabled for connectivity test purposes. When you finish testing, disable it for avoiding possible ping flood attacks.

Regards

Community Member

Re: Cannot ping server behind PIX?!

Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?

Thanks for your help!

Re: Cannot ping server behind PIX?!

When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing

policy-map global_policy

class inspection_default

no inspect icmp

Community Member

Re: Cannot ping server behind PIX?!

Okay one thing I'm not sure if this makes a difference but I am using a PIX 501, and I'm not farmiliar with the policy-map... are those valid commands for a 501?

Thanks!

Re: Cannot ping server behind PIX?!

Hmm if doesnt work you can try this

icmp permit any dmz

icmp permit any inside

or fixup protocol icmp

if it doesnt work also, write ACLs as

access-list dmzrulenamehere permit icmp any any

143
Views
7
Helpful
5
Replies
CreatePlease to create content