Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing ICMP internally


Am not the pix admin but am trying to pretend. I need to allow my internal IT users to have the ability to ping and tracert from the internal network to the internet. I have been looking at examples but cannot quite get the hang of this. Currently I am using statics and conduits.


  • Other Security Subjects
Cisco Employee

Re: Allowing ICMP internally

The PIX will open up a hole for return TCP and UDP traffic, but it doesn't do this with ICMP packets, so you have to allow those in specifically.

Add the following to your PIX:

> conduit permit icmp any any echo-reply

> conduit permit icmp any any unreachable

> conduit permit icmp any any time-exceeded

This should get all versions of traceroute and allow for your inside users to ping external devices, but won't allow external devices to ping your internal hosts.

If some things still don't work correctly, or you don't want to be as secure, you could just add:

> conduit permit icmp any any

and that'll allow all ICMP messages through.

This widget could not be displayed.