cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1077
Views
0
Helpful
6
Replies

Pings through a PIX/ASA 7.x

Hi,

With icmp inspection turned off and " access-list inside permit ip any any " on the inside interface (access-group inside in interface inside) and "access-list outside permit icmp any any echo" on the outside interface (access-group outside in interface outside) will i be able to successfully ping an inside host from an outside host.

And with the same above configuration will i be able to ping an outside host from inside host or will i need to add " permit icmp any any echo-reply" on the outside interface in the inbound direction for the return echo-reply to pass through the firewall.

how will the above configuration be different if icmp inspection is turned on .

Thanks,

Vikram

2 Accepted Solutions

Accepted Solutions

you will either need to specifically allow echo-replies, or all icmp traffic to ping from inside to outside.

you may even need to allow echo's on the inside acl. or disable that acl altogether since it's permitting ip any any, anyway.

View solution in original post

Then you dont need to do that as fixup or inspect commands basically open the path for the return traffic. That's their job. These commands come in effect when their is any traffic ''through'' the firewall.' Same is the case for active FTP. If ip inspect ftp is specified you dont have to put an ACE for ftp-data. Its not required then.

Raman

View solution in original post

6 Replies 6

abinjola
Cisco Employee
Cisco Employee

yes you will be able to ping through..make sure you don't have outside Interface for PAT

thanks for the reply, but will i be able to ping from an inside host to outside host without adding "access-list outside permit icmp any any echo-reply" ??

and what config changes will i need to do if i turn on icmp inspection.

you will either need to specifically allow echo-replies, or all icmp traffic to ping from inside to outside.

you may even need to allow echo's on the inside acl. or disable that acl altogether since it's permitting ip any any, anyway.

thanks srue,

it answers my question.

got one more question relating to ICMP - with icmp inspection enabled , when pinging from outside host to an inside host or from inside host to outside host - is it required to explicitly permit the return icmp traffic ?

Then you dont need to do that as fixup or inspect commands basically open the path for the return traffic. That's their job. These commands come in effect when their is any traffic ''through'' the firewall.' Same is the case for active FTP. If ip inspect ftp is specified you dont have to put an ACE for ftp-data. Its not required then.

Raman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: