Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ICMP Question

I have a PIX 525 I can ping just fine when it is initiated from an inside address going to the outside. I have allowed ICMP reply in my ACL. However, I cannot do the same to the DMZ. I have a PAT global from the inside to the DMZ. When I do an ICMP ECHO, it gets translated to that PAT address, and I can see in sniffer where the machine on the DMZ do an echo-reply back to the PAT address. But on my machine, I get time outs. What is wrong?

Thanks

3 REPLIES
Silver

Re: ICMP Question

Does the ACL for the DMZ allow echo-replies to the PAT address?

Do a [debu icmp trace] and the pix will show you exactly what is happening with that ICMP packet.

New Member

Re: ICMP Question

You could also try (if you havn't already):

access-list DMZ_whatever permit icmp any any

for testing, then dial it in to the host IP instead of any any when you see it working...

Oh, and if you havn't already figured it out, be carefull when using the command "debug icmp trace", it can hose busy networks that are using ICMP for monitoring already. The output will tax the PIX processes...

Just in case.

New Member

Re: ICMP Question

Also try:

icmp permit any

-Rich

86
Views
0
Helpful
3
Replies
CreatePlease to create content