03-06-2007 07:36 AM - edited 03-11-2019 02:42 AM
Hi all,
i am using pix 7.0. I have opened any any access for my users behind the fw, bt none is able to ping public addresses like www.yahoo.com or ip 66.45.172.7.
pls see attached show run
Solved! Go to Solution.
03-06-2007 07:41 AM
please add the command :
access-list acl-internet extended permit icmp any any
this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.
as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.
there's are many icmp commands which you could permit individually.
for details,please check:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Hope this helps!!
Sushil
Cisco TAC.
03-06-2007 08:06 AM
Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
exit
Now check if you are able to ping outbound.
Regards,
Vibhor.
03-06-2007 07:41 AM
please add the command :
access-list acl-internet extended permit icmp any any
this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.
as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.
there's are many icmp commands which you could permit individually.
for details,please check:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Hope this helps!!
Sushil
Cisco TAC.
03-06-2007 08:06 AM
Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
exit
Now check if you are able to ping outbound.
Regards,
Vibhor.
03-06-2007 11:41 AM
permit icmp any any echo-reply from internet( acl-internet)
and permit icmp any any echo from inside (acl-inside)
That should do it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide