Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ping guestion and clock question

I have two question,please help me!

1. I want to ping host from inside to outside,but not outside to inside or to dmz,I can use ACL in my router to do it,but i don't know how to do in my pix525.

2.I use "sh clock" to find my pix system time is correct,but when i use browser to monitor my pix status,the time is incorrect!(pix device manager interface)

example : I watch cpu utilization graph,the graph real time is error?why?

3 REPLIES
New Member

Re: ping guestion and clock question

Cisco recommends only to open ICMP access on the interfaces you want to test. Therefore, disable pinging so that the PIX Firewall unit is not visible on the network. Having open ICMP access increases PIX Firewall operation overhead and can let attackers probe your network. Check out this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm#29662

New Member

Re: ping guestion and clock question

If you allow ICMP echo-reply only, then that should allow you to ping out, but not users to ping in an incoming fashion.

New Member

Re: ping guestion and clock question

The only way to allow a inside host to ping a outside host and get a reply is to allow echo-reply at the outside interface of your pix. This will also allow host on the outside to ping your pix's outside interface, but they cannot ping your dmz or inside host without you giving them access with a ACL.

Here is an example of a ACL that I am using:

access-list acl_outside permit icmp any any echo-reply

access-list acl_outside permit icmp any any source-quench

access-list acl_outside permit icmp any any unreachable

access-list acl_outside permit icmp any any time-exceeded

157
Views
0
Helpful
3
Replies
CreatePlease login to create content