Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pinging PIX Internal Interface


How can I ping a PIX internal interface from another network?

Actually I can ping the PIX Internal Interface from the same network that .e.g (mask

Pix Int. Interface:

My Ip :

But at my PIX firewall I have another 5 interfaces that I must ping from my Tivoli Netview server, but I can do it because it's on another network. Also I can reach any host of these networks routed by PIX, so I don't have a routing problem...

I've tried to use the <icmp> command with success.

Thanks in advance

Halan Leno

IT - Staff

Silvio Santos



Re: Pinging PIX Internal Interface


if you want to ping the internal interface from a network connected to another interface with a lower security level, then you need to create an access-list to allow the icmp traffic:

access-list test permit icmp any any

access-group test in interface

Kind Regards,


Re: Pinging PIX Internal Interface

Actually, this is not 100% accurate based on my understanding of the original post. The above will work if you need to ping hosts off a lower security interface. However, I believe the original poster is trying to ping the interface itself from a device located off of another interface. If this is the case, you will not be able to do this. This is by design and is part of the PIX ASA (Adaptive Security Algorithm). Packets must ingress on one interface and egress another interface in order to be passed. The PIX will not redirect packets back out the same interface where it was received.

This has caused a number of problems in other cases such as this. So, I *think* this behavior is changing the in the 7.0 release of PIX which is due out the 2nd half of 2004. I would recommend speaking with your local Cisco acct team to be sure. Hope this helps.


Community Member

Re: Pinging PIX Internal Interface


The access-list that you've suggested already had been configured, by the way this is my PIX configuration...


This is the access-list configuration:

access-list acl_mdc_inside_access permit icmp any any (interface 1)

access-list acl_mdc_gerencia_access permit icmp any any (interface 2)

access-list acl_mdc_andares_access permit icmp any any (interface 3)

access-list acl_mdc_sbt_access permit icmp any any (interface 4)

access-list acl_mdc_utdcap_access permit icmp any any (interface 5)

access-list acl_mdc_pan_access permit icmp any any (interface 6)


This is the access-group configuration:

access-group acl_mdc_inside_access in interface inside

access-group acl_mdc_gerencia_access in interface gerencia

access-group acl_mdc_andares_access in interface andares

access-group acl_mdc_pan_access in interface pan

access-group acl_mdc_sbt_access in interface sbt


ip address outside

ip address inside

ip address gerencia

ip address andares

ip address sbt

ip address utdcap

ip address pan

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 gerencia security95

nameif ethernet3 andares security90

nameif ethernet4 sbt security50

nameif ethernet5 utdcap security60

nameif ethernet6 pan security70

nameif ethernet7 failover security35

ip address outside

ip address inside

ip address gerencia

ip address andares

ip address sbt

ip address utdcap

ip address pan

ip address failover

e.g: From ip=, I can't ping the PIX internal interface, but it is configured by acces-list: access-list acl_mdc_utdcap_access permit icmp any any (interface 5)

Thanks in advance;


CreatePlease to create content