Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
5
Helpful
3
Replies

unable to ping public address behind pix

Go to solution
bws
Level 1
Level 1

‎03-06-2007 07:36 AM - edited ‎03-11-2019 02:42 AM

Hi all,

i am using pix 7.0. I have opened any any access for my users behind the fw, bt none is able to ping public addresses like www.yahoo.com or ip 66.45.172.7.

pls see attached show run

Labels:
Preview file
7 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎03-06-2007 07:41 AM

please add the command :

access-list acl-internet extended permit icmp any any

this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.

as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.

there's are many icmp commands which you could permit individually.

for details,please check:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope this helps!!

Sushil

Cisco TAC.

View solution in original post

0 Helpful

Go to solution
vitripat
Level 7
Level 7
In response to suschoud

‎03-06-2007 08:06 AM

Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

exit

Now check if you are able to ping outbound.

Regards,

Vibhor.

View solution in original post

3 Replies 3

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎03-06-2007 07:41 AM

please add the command :

access-list acl-internet extended permit icmp any any

this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.

as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.

there's are many icmp commands which you could permit individually.

for details,please check:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope this helps!!

Sushil

Cisco TAC.

0 Helpful

Go to solution
vitripat
Level 7
Level 7
In response to suschoud

‎03-06-2007 08:06 AM

Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

exit

Now check if you are able to ping outbound.

Regards,

Vibhor.

Go to solution
vince-tran
Level 1
Level 1

‎03-06-2007 11:41 AM

permit icmp any any echo-reply from internet( acl-internet)

and permit icmp any any echo from inside (acl-inside)

That should do it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card