ping from outside to inside

abbas.ali · ‎02-25-2003

In conduit configuration, to allow ping from outside to inside was pretty much easy by just installing the command,

conduit permit icmp any any.

Now I am converting my conduits to access-list, and just wanted to check if this is the right command to allow icmp traffic from outside network to inside network.

access-list 100 or outside permit icmp any any echo-request

access-list 100 or outside permit icmp any any echo-reply.

will I enable this on my outside interface or inside interface?

access-group 100 in interface outside or

access-group 100 in interface inside.

shannong · ‎02-25-2003

To accomplish the same functionality you would use this ACL on the outside interface:

access-list 100 permit icmp any any

I recommend against allowing ping requests in. If you agree, you might want to use something like this:

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachables

This will allow ping requests that go out to come back in and traceroute as well.

matthew.bauer · ‎03-05-2003

is that acl assigned to the outside interface??

another question, I have an acl that deny's all outbound traffic except on a few ports, will I still be able to do so if I create this acl? do I add an addition record in my existing acl to permit icmp?

If I am too vague I am sorry, I wanted to ask the questions while they were still on my mind and my pix is at the house

shannong · ‎03-05-2003

Yes. That access-list I sampled would be applied to the outside interface. If you have an access-list on the inside interface already, you would also need to include the following to allow ICMP requests to go out:

access-l 102 permit icmp any any eq echo

Also, if you allow connections in from the outside for anything you may want to include unreachables to go out as well:

access-l 102 permit icmp any any eq unreachables