Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

default icmp behavior

What's the default icmp behavior on Pix?

I can't seem to ping from any inside hosts to any outside hosts...

What do I have to do to allow it, while blocking icmp initiated from outside?

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

Re: default icmp behavior

Hi,

Allow only " echo-reply " in your outside interface , so only ur inside host can ping .

ref :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Hope this helps

regards

vanesh k

4 REPLIES

Re: default icmp behavior

To be very sure, create/add ACL to allow ICMP from any inside host to ping external/internet host(s). Bind this ACL on the Inside interface, example:

global (outside) 1 192.168.1.10 --> Public IP

nat (inside) 1 10.1.1.0 255.255.255.0 --> your internal segment

access-list inside permit icmp any any --> permit any icmp type from internal host to external

access-group in interface inside --> bind ACL to inside interface

If you already have existing ACL, just add it to the top, or before any deny statement.

Allowing all ICMP type here is only for testing purposes only. Also, make sure on your Outside interface, do not block any ICMP (via any ACL).

HTH

AK

New Member

Re: default icmp behavior

thanks for the quick reply.

I did exactly what you suggested, and it's still not going through.

I ping 63.240.76.72 from inside host, and get the following on Pix:

106014: Deny inbound icmp src outside:63.240.76.72 dst inside:192.168.1.10 (type 0, code 0)

show access-list:

access-list 101 line 1 permit icmp any any (hitcnt=2)

It looks like Pix is allowing icmp from inside out, but not from outside in.

So I created another ACL allowing inbound icmp, and applied it to outside interface, I can now ping from inside.

But, how do I limit ping initiated from inside only?

Re: default icmp behavior

Hi,

Allow only " echo-reply " in your outside interface , so only ur inside host can ping .

ref :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Hope this helps

regards

vanesh k

New Member

Re: default icmp behavior

thanks; this doc totally answered my question.

147
Views
4
Helpful
4
Replies
This widget could not be displayed.