Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix---ping to inside inf from dmzs ?

hi experts,

is it possible to ping the inside interface of the pix firewall from dmz or outside.. if yes, what are the configurations to be done on it..

pls help....

rajesh

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: pix---ping to inside inf from dmzs ?

No, you can only ping from directly connected interface, ie: from outside, you can only ping the outside interface, from dmz, you can only ping the dmz interface, etc etc.

If you are connecting via VPN on the outside interface, you can configure "management-access inside" to be able to ping the inside interface.

However you can only configure 1 management-access line, not multiple lines. Therefore you would need to choose which interface you would like to ping when you VPN in.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122

Hope that helps.

6 REPLIES

Re: pix---ping to inside inf from dmzs ?

Hi,

This link will help

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic2

It states the following:

Pings Inbound

Pings initiated from the outside, or another low security interface of       the PIX, are denied be default. The pings can be allowed by the use of static       and access lists or access lists alone.

New Member

Re: pix---ping to inside inf from dmzs ?

Hi,

thanks for your reply...

my intention is to ping to the INSIDE INTERFACE from any other dmzz/outside network !!!!

pls check and let me know...

rajesh

New Member

Re: pix---ping to inside inf from dmzs ?

Can you please attach the running configuration file?

New Member

Re: pix---ping to inside inf from dmzs ?

ethernet 0 outside -> 172.16.1.1

ethernet 2 dmz -> 192.168.1.1

ethernet 1 inside -> 10.0.0.1

icmp permit any inside

icmp permit any outside

icmp permit any dmz

access-list 101 permit ip any any

access-group 101 in interface inside

access-group 101 in interface outside

access-group 101 in interface dmz

New Member

Re: pix---ping to inside inf from dmzs ?

I dont know the security level of the interfaces. So set the security-level to 100 for inside and dmz interface.

security-level 100

same-security-traffic permit intra-interface

access-group 101 out interface dmz

Cisco Employee

Re: pix---ping to inside inf from dmzs ?

No, you can only ping from directly connected interface, ie: from outside, you can only ping the outside interface, from dmz, you can only ping the dmz interface, etc etc.

If you are connecting via VPN on the outside interface, you can configure "management-access inside" to be able to ping the inside interface.

However you can only configure 1 management-access line, not multiple lines. Therefore you would need to choose which interface you would like to ping when you VPN in.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122

Hope that helps.

321
Views
0
Helpful
6
Replies
CreatePlease login to create content