Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ping outside

Hi,

I am trying to figure it out for an hour or two now and can't.

In any documentation I found, it states that Cisco PIX does not replay to ping on outside interface and to enable it, a ACL must be created and attached to outside interface.

Problem is that, I don;t have any ACL and can ping from router - outside interface of PIX. When I am adding ACL deny icmp any any and deny ip any any it still works and ACL counters do not increase.

Config is default, I tried that on PIX 501 and 506E. What can allow ping on outside interface.

ip address outside 10.1.3.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list 10 deny icmp any any log

access-group 10 in interface outside

Thank.

Michal

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Ping outside

Hi Michal,

Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.

The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.

Btw, icmp is permitted to the outside interface by default

3 REPLIES
Cisco Employee

Re: Ping outside

Michal..access-list is for transit traffic not for traffic destined on interface...

add this...icmp deny any outside

see if it works

New Member

Re: Ping outside

Hi Michal,

Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.

The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.

Btw, icmp is permitted to the outside interface by default

New Member

Re: Ping outside

Hi,

Thanks for clearing this up. It works now.

Michal

111
Views
3
Helpful
3
Replies