Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic PIX Interface Question

Hi Everyone,

My understanding of a general PIX config is to have the inside interface connected to your LAN and the outside interface connected to the "Internet". Now I have configured the NAT to translate my internat 192.168.x.x address to my routable address on the outside interface with the commands global(outside)X.X.X.X and NAT(inside)192.168.X.X and this all works fine. I have an access-list on my inside interface which permits icmp from any to any. My question is, how do I permit the reply to my pings through my outside interface? If I do not have an ACL on my outside interface permitting ICMP I cannot ping across from the inside to the outside - but I thought an ACL on my outside interface was a bad idea?

Any help would be great if you can understand my poor question!

Many thanks,

Dan

3 REPLIES
New Member

Re: Basic PIX Interface Question

There is another command 'icmp permit' on the pix to take care of outside ICMPs.

Thanks.

Gold

Re: Basic PIX Interface Question

if there is no acl applied on the inside interface, you don't need to apply "permit icmp any any". it is because the pix by default will allow all outgoing traffic.

to permit echo reply,

access-list acl_out permit icmp any any echo-reply

access-group acl_out interface outside

apply an acl on the outside interface is not a bad idea. it's totally depends on the business requirements.

Re: Basic PIX Interface Question

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list.

If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

access-group 101 in interface outside

UNIX:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-group 101 in interface outside

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

100
Views
0
Helpful
3
Replies