Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Pings through a PIX/ASA 7.x

Hi,

With icmp inspection turned off and " access-list inside permit ip any any " on the inside interface (access-group inside in interface inside) and "access-list outside permit icmp any any echo" on the outside interface (access-group outside in interface outside) will i be able to successfully ping an inside host from an outside host.

And with the same above configuration will i be able to ping an outside host from inside host or will i need to add " permit icmp any any echo-reply" on the outside interface in the inbound direction for the return echo-reply to pass through the firewall.

how will the above configuration be different if icmp inspection is turned on .

Thanks,

Vikram

2 ACCEPTED SOLUTIONS

Accepted Solutions
Gold

Re: Pings through a PIX/ASA 7.x

you will either need to specifically allow echo-replies, or all icmp traffic to ping from inside to outside.

you may even need to allow echo's on the inside acl. or disable that acl altogether since it's permitting ip any any, anyway.

Community Member

Re: Pings through a PIX/ASA 7.x

Then you dont need to do that as fixup or inspect commands basically open the path for the return traffic. That's their job. These commands come in effect when their is any traffic ''through'' the firewall.' Same is the case for active FTP. If ip inspect ftp is specified you dont have to put an ACE for ftp-data. Its not required then.

Raman

6 REPLIES
Cisco Employee

Re: Pings through a PIX/ASA 7.x

yes you will be able to ping through..make sure you don't have outside Interface for PAT

Re: Pings through a PIX/ASA 7.x

thanks for the reply, but will i be able to ping from an inside host to outside host without adding "access-list outside permit icmp any any echo-reply" ??

and what config changes will i need to do if i turn on icmp inspection.

Gold

Re: Pings through a PIX/ASA 7.x

you will either need to specifically allow echo-replies, or all icmp traffic to ping from inside to outside.

you may even need to allow echo's on the inside acl. or disable that acl altogether since it's permitting ip any any, anyway.

Re: Pings through a PIX/ASA 7.x

thanks srue,

it answers my question.

Re: Pings through a PIX/ASA 7.x

got one more question relating to ICMP - with icmp inspection enabled , when pinging from outside host to an inside host or from inside host to outside host - is it required to explicitly permit the return icmp traffic ?

Community Member

Re: Pings through a PIX/ASA 7.x

Then you dont need to do that as fixup or inspect commands basically open the path for the return traffic. That's their job. These commands come in effect when their is any traffic ''through'' the firewall.' Same is the case for active FTP. If ip inspect ftp is specified you dont have to put an ACE for ftp-data. Its not required then.

Raman

599
Views
0
Helpful
6
Replies
CreatePlease to create content