12-02-2006 11:48 PM - edited 03-11-2019 02:03 AM
What's the default icmp behavior on Pix?
I can't seem to ping from any inside hosts to any outside hosts...
What do I have to do to allow it, while blocking icmp initiated from outside?
Solved! Go to Solution.
12-03-2006 09:49 AM
Hi,
Allow only " echo-reply " in your outside interface , so only ur inside host can ping .
ref :
Hope this helps
regards
vanesh k
12-03-2006 06:02 AM
To be very sure, create/add ACL to allow ICMP from any inside host to ping external/internet host(s). Bind this ACL on the Inside interface, example:
global (outside) 1 192.168.1.10 --> Public IP
nat (inside) 1 10.1.1.0 255.255.255.0 --> your internal segment
access-list inside permit icmp any any --> permit any icmp type from internal host to external
access-group in interface inside --> bind ACL to inside interface
If you already have existing ACL, just add it to the top, or before any deny statement.
Allowing all ICMP type here is only for testing purposes only. Also, make sure on your Outside interface, do not block any ICMP (via any ACL).
HTH
AK
12-03-2006 09:37 AM
thanks for the quick reply.
I did exactly what you suggested, and it's still not going through.
I ping 63.240.76.72 from inside host, and get the following on Pix:
106014: Deny inbound icmp src outside:63.240.76.72 dst inside:192.168.1.10 (type 0, code 0)
show access-list:
access-list 101 line 1 permit icmp any any (hitcnt=2)
It looks like Pix is allowing icmp from inside out, but not from outside in.
So I created another ACL allowing inbound icmp, and applied it to outside interface, I can now ping from inside.
But, how do I limit ping initiated from inside only?
12-03-2006 09:49 AM
Hi,
Allow only " echo-reply " in your outside interface , so only ur inside host can ping .
ref :
Hope this helps
regards
vanesh k
12-03-2006 10:25 AM
thanks; this doc totally answered my question.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: