Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

sending icmp through a Pix

I want to set up a mchine behind the firewall to be able to ping a outsdie computer.

I looked at the cisco documentation, Handling ICMP Pings with the Pix Firewall. I configure every rule accordingly, and is not working.

The icmp packet is going out, but I am not even seeing any icmp packet returning. When I ping the same computer on the firewall, I am seeing the return.

Do I miss something? Pix version is 7.1.

3 REPLIES

Re: sending icmp through a Pix

Hi,

Can you post your config, or at least the ACLs?

The ACL on the inside interface, try to allow all ICMP before putting specific ICMP-type like echo-reply and so on.

There are two options in PIX 7.x that allow inside users to ping outside. The first option is to setup a specific rule for each type of echo message. For example:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outsideThis allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Another option is to configure icmp inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, all inside interfaces can ping outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall.

For example:

policy-map global_policy

class inspection_default

inspect icmp

Cisco PIX 7.x on ICMP/ping to outside firewall:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q6

Additionally, check your internet router for any ACL statement denying specific icmp type.

Rgds,

AK

New Member

Re: sending icmp through a Pix

Thank you. I used the first option. It works well. The reason it wasn't working before was I had it applied to the wrong interface. Since I was thinking of pinging outside, I applied the ACLs on the inside interface.

New Member

Re: sending icmp through a Pix

If you enable the icmp fixup you won't need acl allowing icmp anywhere.

94
Views
5
Helpful
3
Replies
CreatePlease to create content