Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Firewall Ping

How do you allow your firewall to ping the internet ?

I have had the network working for over a year but when I try to ping from the firewall to the internet or anything for testing it just give me ?????. I am assuming it is a acl issue. I have access-list 101 extended permit icmp any any on the first line. That should allow the access correct?

2 REPLIES
Hall of Fame Super Silver

Nothing special (access-list

Nothing special (access-list or traffic inspection) is required to allow pings generated by the firewall itself.

If you want the firewall to respond to pings you need to allow that explicitly and turn on icmp inspection.

If you want to pass traceroute through and properly decrement the TTL so the firewall shows up in the trace you need to inspect icmp and make some other modifications as well.

Cisco Employee

When you test what is the IP

When you test what is the IP that you are trying to ping? Also are you connected directly to your ISP on the public interface or is there any other device with the capability of blocking ICMP request or replies.

You can setup a capture on the external interface and if you see that the packet is captured most likely the block is outside your device.

EX capture interface outside match icmp host (public ip of the firewall) host 4.2.2.2

FYI icmp inspection is required for traffic that traverses the firewall. Since the traffic is started on the public interface to the internet this command is not required.

 

46
Views
0
Helpful
2
Replies