Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
7
Replies

icmp access-list

s-chu
Level 1
Level 1

‎01-10-2002 07:16 PM - edited ‎02-20-2020 09:16 PM

I have a small LAN connection with a PIX,I can receive echo-reply from inside interface,but can't

receive from outside and DMZ interface when I in the inside host.

I find some command can help me:

icmp permit 172.16.64.0 255.255.254.0 echo-reply outside

but,I still can't ping outside from inside host,am I miss some command?

thankx!

Labels:
0 Helpful
7 Replies 7

s-chu
Level 1
Level 1

‎01-10-2002 07:26 PM

sorry,I miss some important messages,I use PAT

from inside to outside,It is A.B.C.D

I add the command line

icmp permit host A.B.C.D echo-reply outside,but

still can't ping outside. @@|||

0 Helpful

ross.filipek
Level 1
Level 1
In response to s-chu

‎01-11-2002 06:21 AM

Try writing the access-list like this:

access-list 100 permit icmp any host A.B.C.D echo-reply

access-group 100 in interface outside

access-group 100 in interface dmz

0 Helpful

BRUNO WOLLMANN
Level 1
Level 1
In response to ross.filipek

‎01-25-2002 08:41 AM

I am having the exact same problem. I have tried both the ICMP permit command and the access-list/access-group commands and neither have worked for me.

I can ping the outside interface from a machine in the outside network. I can ping a machine in the outside network from the inside network but I cannot ping the outside interface from the inside network.

What am I missing?

0 Helpful

mike-banks
Level 1
Level 1

‎01-28-2002 09:35 AM

Are you trying to ping the outside interface or ping through the outside interface to some other destination?

0 Helpful

edp
Level 1
Level 1
In response to mike-banks

‎02-06-2002 09:43 AM

Let me throw another wrench into this machine. I have a pix, NATing to the outside, but not to the DMZ. I am unable to ping any of the servers in the DMZ from the PIX, and unable to ping the PIX from the servers. The servers can all ping each other and the PIX (of course) can ping the DMZ interface. My first line of my dmz access list permits ALL ICMP traffic. The last line (though temporary to troubleshoot the access list itself) is ip permit any any. HELP !

0 Helpful

rsnider
Level 1
Level 1

‎02-07-2002 11:58 AM

Try adding the access-group to your inside interface. This will allow the reply to enter the inside network. You will not be able to ping the PIX DMZ interface from inside but you should be able to ping devices on thar network.

access-list 100 permit icmp any host A.B.C.D echo-reply

access-group 100 in interface outside

access-group 100 in interface dmz

access-group 100 in interface inside

0 Helpful

mike-banks
Level 1
Level 1

‎02-08-2002 09:26 AM

I am assuming you do not have a access-list that denies icmp messages on the inside interface. If this is the case, the PIX by default will allow inside host(based upon the nat command) to ping through the PIX. However, by default the outside interface will not allow the reply back inside unless you implictly allow this. If you are using access-list then enter the following commands on your outside interface : access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any source-quench

access-list outside permit icmp any any unreachable

access-list outside permit icmp any any time-exceeded

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents