Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ping from outside to inside

In conduit configuration, to allow ping from outside to inside was pretty much easy by just installing the command,

conduit permit icmp any any.

Now I am converting my conduits to access-list, and just wanted to check if this is the right command to allow icmp traffic from outside network to inside network.

access-list 100 or outside permit icmp any any echo-request

access-list 100 or outside permit icmp any any echo-reply.

will I enable this on my outside interface or inside interface?

access-group 100 in interface outside or

access-group 100 in interface inside.

3 REPLIES
Silver

Re: ping from outside to inside

To accomplish the same functionality you would use this ACL on the outside interface:

access-list 100 permit icmp any any

I recommend against allowing ping requests in. If you agree, you might want to use something like this:

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachables

This will allow ping requests that go out to come back in and traceroute as well.

New Member

Re: ping from outside to inside

is that acl assigned to the outside interface??

another question, I have an acl that deny's all outbound traffic except on a few ports, will I still be able to do so if I create this acl? do I add an addition record in my existing acl to permit icmp?

If I am too vague I am sorry, I wanted to ask the questions while they were still on my mind and my pix is at the house

Silver

Re: ping from outside to inside

Yes. That access-list I sampled would be applied to the outside interface. If you have an access-list on the inside interface already, you would also need to include the following to allow ICMP requests to go out:

access-l 102 permit icmp any any eq echo

Also, if you allow connections in from the outside for anything you may want to include unreachables to go out as well:

access-l 102 permit icmp any any eq unreachables

96
Views
0
Helpful
3
Replies