Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Echo Reply dies at pix

Reply
Thread Tools

Echo Reply dies at pix

 
 
alex
Guest
Posts: n/a
 
      07-28-2004
This seems like it should be an easy fix but I'm still learning about
the pix515.

this works
ping outside 66.218.71.63

this doesnt
ping inside 66.218.71.63

furthermore.. if a computer on the inside interface trys to ping
yahoo.com(66.218.71.63) they dont get a reply, however if you are
watching the pix terminal at the time and you have 'debug icmp trace'
set you see the reply coming back, it just never reaches the computer.

any hints?
 
Reply With Quote
 
 
 
 
virgilv
Guest
Posts: n/a
 
      07-29-2004
alex <firespeaks at yah00 dot com> wrote in message news:<(E-Mail Removed)>. ..
> This seems like it should be an easy fix but I'm still learning about
> the pix515.
>
> this works
> ping outside 66.218.71.63
>
> this doesnt
> ping inside 66.218.71.63
>
> furthermore.. if a computer on the inside interface trys to ping
> yahoo.com(66.218.71.63) they dont get a reply, however if you are
> watching the pix terminal at the time and you have 'debug icmp trace'
> set you see the reply coming back, it just never reaches the computer.
>
> any hints?


Well, first - you can't ping that IP address from the inside, because
there is not an existing route from the inside to that IP; only from
the outside interface - that is normal.

Do you have your NAT / PAT working correctly? nat (inside) 1 0.0.0.0
0.0.0.0 and then global (outside) 1 interface

Without knowing what your config looks like, it is hard to say.
 
Reply With Quote
 
 
 
 
Speedy
Guest
Posts: n/a
 
      07-29-2004
alex <firespeaks at yah00 dot com> wrote in message news:<(E-Mail Removed)>. ..
> This seems like it should be an easy fix but I'm still learning about
> the pix515.
>
> this works
> ping outside 66.218.71.63
>
> this doesnt
> ping inside 66.218.71.63
>
> furthermore.. if a computer on the inside interface trys to ping
> yahoo.com(66.218.71.63) they dont get a reply, however if you are
> watching the pix terminal at the time and you have 'debug icmp trace'
> set you see the reply coming back, it just never reaches the computer.
>
> any hints?


Inbound ICMP through the PIX is denied by default, even if the echo
request was initiated from the inside. You must define an access-list
allowing the echo-replies. See
http://www.cisco.com/en/US/products/...80094e8a.shtml
for a well defined explanation.
 
Reply With Quote
 
pbundschuh@alumni.nd.edu
Guest
Posts: n/a
 
      07-29-2004
>
> Inbound ICMP through the PIX is denied by default, even if the echo
> request was initiated from the inside. You must define an access-list
> allowing the echo-replies. See
> http://www.cisco.com/en/US/products/...80094e8a.shtml
> for a well defined explanation.


Here's an example of an ACL that allows in icmp echo replies, plus a couple
other useful ones. Note this will stop any incoming pings (echo). This ACL
should be applied to the outside interface:

access-list outside line 4 permit icmp any any echo-reply
access-list outside line 5 permit icmp any any time-exceeded
access-list outside line 6 permit icmp any any unreachable
access-list outside line 7 deny icmp any any
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Perl 'system' Creates Program That Dies When First C Program Dies Christopher M. Lusardi Perl Misc 3 10-19-2003 11:53 AM
echo echo echo craig judd Computer Support 1 09-23-2003 08:53 PM
can sombody tell me how to reply to sombody elses message and include the original message in the reply? Computer Support 3 08-24-2003 12:58 PM
Re: can sombody tell me how to reply to sombody elses message and include the original message in the reply? Computer Support 0 07-24-2003 09:21 PM



Advertisments