«

"Walter Roberson" <> wrote in message
news:cl3akc$6lj$...
> In article <41752ae4$>, Rob <> wrote:
> :I am configuring a 515e (6.3) and having problem with enabling ping.
> :I have added:
> :icmp permit any echo outside
> :icmp permit any echo-reply outside
> :icmp permit any echo inside
> :icmp permit any echo-reply inside
>
> Those control what icmp is permitted to the PIX itself and have
> nothing to do with what is permitted *through* the PIX.
>
> :conduit permit icmp any any
>
> That permits all inbound icmp, I think.
>
>
> :However still ping doesnt work, (Firewall, Internet access works fine),
does
> :anyone know how to enable ping on this box.
>
> Do you have access controls applied to your inside interface? If so
> then my thought is that you aren't allowing the outbound icmp echo
> packets needed for ping.
>
> If you do not have access controls applied to your inside interface,
> then I cannot help you any further. The 'conduit' command was
> deprecated as of PIX 5.2.1, and will not be available in the
> next major software release, the now late PIX 7.0. Cisco indicates
> in the release notes that conduit is broken in some cases, and that
> as of PIX 6.2.1 there are known problems with conduit which will
> not be fixed. It is thus my policy not to assist in debugging
> configurations that have 'conduit' commands in them: there is,
> to my mind, no point in spending time trying to figure out why
> the configuration might be failing when the problem might be
> a PIX bug.
>
> If you revise your configuration to use purely the access-list/
> access-group model and the problem still occurs, then we are
> more likely to be able to help you.
> --
> This is not the same .sig the second time you read it.


I removed the condu and added access-list, however still cannot ping the
outside.

PIX(config)# access-list 120 permit icmp any any
PIX(config)# access-gro 120 in inter outs
PIX(config)# access-gro 120 in inter insi
Thanks again-Rob