Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ping pix inside port is't success

my server(host) connect to pix inside port directly,it can't ping pix success.

there is no host firewall on server.

when i in pix monitor mode .from pix can ping server successful.

how can i resolve this problem?

3 REPLIES
Gold

Re: ping pix inside port is't success

just wondering if the inside interface is in "shutdown" status.

all interfaces will be in "shutdown" status after performing "write erase".

to verify, do "sh int"

e.g.

interface ethernet1 "inside" is administratively down, line protocol is up

New Member

Re: ping pix inside port is't success

i wonder what different between clear configure and write erase.if they have same result.

thank you for help!

Re: ping pix inside port is't success

If you want to ping the same interface that you are physicly connected, as your server to the PIX, then you need to configure the "icmp" command.

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

152
Views
0
Helpful
3
Replies