Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

unable to ping public address behind pix

Hi all,

i am using pix 7.0. I have opened any any access for my users behind the fw, bt none is able to ping public addresses like www.yahoo.com or ip 66.45.172.7.

pls see attached show run

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: unable to ping public address behind pix

please add the command :

access-list acl-internet extended permit icmp any any

this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.

as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.

there's are many icmp commands which you could permit individually.

for details,please check:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope this helps!!

Sushil

Cisco TAC.

Silver

Re: unable to ping public address behind pix

Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

exit

Now check if you are able to ping outbound.

Regards,

Vibhor.

3 REPLIES
Silver

Re: unable to ping public address behind pix

please add the command :

access-list acl-internet extended permit icmp any any

this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.

as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.

there's are many icmp commands which you could permit individually.

for details,please check:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope this helps!!

Sushil

Cisco TAC.

Silver

Re: unable to ping public address behind pix

Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

exit

Now check if you are able to ping outbound.

Regards,

Vibhor.

New Member

Re: unable to ping public address behind pix

permit icmp any any echo-reply from internet( acl-internet)

and permit icmp any any echo from inside (acl-inside)

That should do it.

149
Views
5
Helpful
3
Replies