I need some help regarding ICMP destined to a DMZ host/subnet from the a nonconnected inside subnet. I have 2 PIX 525's at 2 different locations. The subnets know about each other via routing on a pair 6513's at each site. I CAN ping from PIX inside to PIX inside over the WAN link, but i canNOT ping from one PIX to a host on the DMZ off of the other PIX. All hosts on the inside CAN ping the DMZ host (web server) except the PIX on the far network.
What do you need to know about the config in order to give an answer?
Which interface on the Pix leads to the WAN interface?
When you CAN ping, do you mean you're pinging from one pix to the other? Or from a inside host on one pix to a host on the other pix?
With the failing ping to the DMZ, is this ping from the Pix to the host on the other Pix? Or some inside host? If an inside host, is it the same one that can successfully ping inside hosts on the other pix?
Here is what I have for ICMP access lists and accociated groups:
access-list outside-access-in permit icmp any any echo-reply
access-list outside-access-in permit icmp any any time-exceeded
access-list outside-access-in permit icmp any any unreachable
access-list DMZ-access-in permit icmp any any
access-group outside-access-in in interface outside
access-group DMZ-access-in in interface DMZ-1
However, the outside has nothing to do with the issue as I am not accessing anything via the outside interface... I just wanted to include it for the sake of showing ALL ICMO access allowed through the PIX's.
This I have on both PIX so they can ping each others INTERNAL interfaces (this works):
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :