Basic question: Pix & ICMP echo replies

Discussion in 'Cisco' started by Jesper Jenssen, Nov 21, 2003.

  1. Dear group, I'm pretty much stuck with a fairly basic problem. Pix 501
    (6.3). I'd like to ping from the inside to the outside, and have done
    everything using the documents. I must be doing something wrong. How do I
    allow pings to pass through the pix, and be able to receive the replies. Any
    help would be appreciated. I know it is simple, but I can;t figure it out
    Jesper
    Jesper Jenssen, Nov 21, 2003
    #1
    1. Advertising

  2. In article <3fbe84ef$0$1506$4all.nl>,
    Jesper Jenssen <> wrote:
    :Dear group, I'm pretty much stuck with a fairly basic problem. Pix 501
    :(6.3). I'd like to ping from the inside to the outside, and have done
    :everything using the documents. I must be doing something wrong. How do I
    :allow pings to pass through the pix, and be able to receive the replies. Any
    :help would be appreciated. I know it is simple, but I can;t figure it out

    First, you cannot ping the outside interface of the PIX itself from
    the inside network -- the PIX won't answer those.

    Second, the way to control what the PIX itself does for icmp is
    through the 'icmp' command.

    Third, the way to control the passage of icmp -through- the PIX is
    by access-lists.

    6.3 made some improvements in Adaptive Security for icmp, but the PIX
    still has trouble automatically recognizing responses. For now, you
    are better off configuring the access lists so that icmp responses are
    treated as if they were new icmp.


    : block RFC1918 private address ranges and other stuff that should not exist
    access-list out2in deny ip 192.168.0.0 255.255.0.0 any
    access-list out2in deny ip 172.16.0.0 255.240.0.0 any
    access-list out2in deny ip 10.0.0.0 255.0.0.0 any
    access-list out2in deny ip 127.0.0.0 255.0.0.0 any
    : and so on

    access-list out2in permit icmp any any echo-reply
    access-list out2in permit icmp any any unreachable
    access-list out2in permit icmp any any time-exceeded
    : and other traffic to servers here

    access-list out2in in interface outside


    If you have no access-list applied to the inside interface, the
    default is to let all traffic out, but if you want finer control than
    that,


    : block RFC1918 private address ranges and other stuff that should not exist
    access-list in2out deny ip any 192.168.0.0 255.255.0.0
    access-list in2out deny ip any 172.16.0.0 255.240.0.0
    access-list in2out deny ip any 10.0.0.0 255.0.0.0
    access-list in2out deny ip any 127.0.0.0 255.0.0.0
    : and so on

    access-list in2out permit icmp any any echo
    access-list in2out permit icmp any any unreachable
    access-list in2out permit icmp any any time-exceeded
    : and any other traffic to the outside here -- caution, default is to deny!

    access-list in2out in interface inside
    --
    Rome was built one paycheck at a time. -- Walter Roberson
    Walter Roberson, Nov 21, 2003
    #2
    1. Advertising

  3. "Walter Roberson" <-cnrc.gc.ca> schreef in bericht
    news:bpm44o$efu$...

    >
    > : block RFC1918 private address ranges and other stuff that should not

    exist
    > access-list out2in deny ip 192.168.0.0 255.255.0.0 any
    > access-list out2in deny ip 172.16.0.0 255.240.0.0 any
    > access-list out2in deny ip 10.0.0.0 255.0.0.0 any
    > access-list out2in deny ip 127.0.0.0 255.0.0.0 any
    > : and so on
    >
    > access-list out2in permit icmp any any echo-reply
    > access-list out2in permit icmp any any unreachable
    > access-list out2in permit icmp any any time-exceeded
    > : and other traffic to servers here
    >
    > access-list out2in in interface outside
    >


    Thanks! That did the trick, even better, I now understand what I was doing
    wrong. Just to make sure that I don't completely mess up: didn't you mean
    access-group out2in in interface outside?

    Thanks again, it is a great feeling that it really works after struggling
    for hours!
    Jesper
    Jesper Jenssen, Nov 21, 2003
    #3
  4. In article <3fbe9979$0$1500$4all.nl>,
    Jesper Jenssen <> wrote:
    :Just to make sure that I don't completely mess up: didn't you mean
    :access-group out2in in interface outside?

    Opps, yes.
    --
    Beware of bugs in the above code; I have only proved it correct,
    not tried it. -- Donald Knuth
    Walter Roberson, Nov 21, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Matheney
    Replies:
    1
    Views:
    872
  2. David
    Replies:
    3
    Views:
    20,093
    Anthony
    Jul 21, 2005
  3. craig judd

    echo echo echo

    craig judd, Sep 23, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    520
    Miggsee
    Sep 23, 2003
  4. Scott Townsend
    Replies:
    2
    Views:
    10,096
    Scott Townsend
    May 4, 2006
  5. janet
    Replies:
    11
    Views:
    1,767
    Beauregard T. Shagnasty
    Dec 17, 2007
Loading...

Share This Page