Thank you for the tip. But, how do I shutdown all int?

Thank you for th tip.

I re-configured the PIX and I can ping public IP from the PIX. However, I can't ping the router and any public IP from the computer connecting to the PIX. The computer can ping iinside and outside IP of the PIX, but not router. The tracert received all time out.

here are the configuration:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname PIX515

domain-name cisco.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.10.254 255.255.255.0

ip address inside 172.16.254.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.16.254.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 172.16.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:7b7589c59223bab49e8fa66713583559

: end

Ping to outside(public IP) from inside bydefault is disabled.Use the command to enable :

conduit permit icmp any any

Regards,

I can ping after added

access-list outside_in permit icmp any any

access-group outside_in in interface outside

thanks.

Genreal ICMP Note: The < icmp > command is used if you want to ping the interface on which your PC is connected to. Example your PC is in the inside interface and you want to ping the inside PIX interface.

If you want to tracert (traceroute) from the inside PC to a Internet host example < www.yahoo.com > then you need to create an < access-list > that allows the returning traffic from the outside to the inside. Why because ICMP is not a stateful protocol !!

ICMP Traffic on PIX Firewall :

------------------------------

# Access-List examples:

# Traceroute Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

#ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host PrivateIP echo inside

Source:

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

sincerely

Patrick