Echo Reply dies at pix

Discussion in 'Cisco' started by alex, Jul 28, 2004.

  1. alex

    alex Guest

    This seems like it should be an easy fix but I'm still learning about
    the pix515.

    this works
    ping outside 66.218.71.63

    this doesnt
    ping inside 66.218.71.63

    furthermore.. if a computer on the inside interface trys to ping
    yahoo.com(66.218.71.63) they dont get a reply, however if you are
    watching the pix terminal at the time and you have 'debug icmp trace'
    set you see the reply coming back, it just never reaches the computer.

    any hints?
     
    alex, Jul 28, 2004
    #1
    1. Advertising

  2. alex

    virgilv Guest

    alex <firespeaks at yah00 dot com> wrote in message news:<>...
    > This seems like it should be an easy fix but I'm still learning about
    > the pix515.
    >
    > this works
    > ping outside 66.218.71.63
    >
    > this doesnt
    > ping inside 66.218.71.63
    >
    > furthermore.. if a computer on the inside interface trys to ping
    > yahoo.com(66.218.71.63) they dont get a reply, however if you are
    > watching the pix terminal at the time and you have 'debug icmp trace'
    > set you see the reply coming back, it just never reaches the computer.
    >
    > any hints?


    Well, first - you can't ping that IP address from the inside, because
    there is not an existing route from the inside to that IP; only from
    the outside interface - that is normal.

    Do you have your NAT / PAT working correctly? nat (inside) 1 0.0.0.0
    0.0.0.0 and then global (outside) 1 interface

    Without knowing what your config looks like, it is hard to say.
     
    virgilv, Jul 29, 2004
    #2
    1. Advertising

  3. alex

    Speedy Guest

    alex <firespeaks at yah00 dot com> wrote in message news:<>...
    > This seems like it should be an easy fix but I'm still learning about
    > the pix515.
    >
    > this works
    > ping outside 66.218.71.63
    >
    > this doesnt
    > ping inside 66.218.71.63
    >
    > furthermore.. if a computer on the inside interface trys to ping
    > yahoo.com(66.218.71.63) they dont get a reply, however if you are
    > watching the pix terminal at the time and you have 'debug icmp trace'
    > set you see the reply coming back, it just never reaches the computer.
    >
    > any hints?


    Inbound ICMP through the PIX is denied by default, even if the echo
    request was initiated from the inside. You must define an access-list
    allowing the echo-replies. See
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
    for a well defined explanation.
     
    Speedy, Jul 29, 2004
    #3
  4. alex

    Guest

    >
    > Inbound ICMP through the PIX is denied by default, even if the echo
    > request was initiated from the inside. You must define an access-list
    > allowing the echo-replies. See
    > http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
    > for a well defined explanation.


    Here's an example of an ACL that allows in icmp echo replies, plus a couple
    other useful ones. Note this will stop any incoming pings (echo). This ACL
    should be applied to the outside interface:

    access-list outside line 4 permit icmp any any echo-reply
    access-list outside line 5 permit icmp any any time-exceeded
    access-list outside line 6 permit icmp any any unreachable
    access-list outside line 7 deny icmp any any
     
    , Jul 29, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Jenssen

    Basic question: Pix & ICMP echo replies

    Jesper Jenssen, Nov 21, 2003, in forum: Cisco
    Replies:
    3
    Views:
    7,079
    Walter Roberson
    Nov 21, 2003
  2. craig judd

    echo echo echo

    craig judd, Sep 23, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    531
    Miggsee
    Sep 23, 2003
  3. Jim

    Quickcam just dies???

    Jim, Oct 4, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    407
  4. Sano

    W98 dies this week, tips <chuckle>

    Sano, Jan 12, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    460
  5. Denny B

    Reply....Reply All not in Browser

    Denny B, Apr 24, 2006, in forum: Computer Support
    Replies:
    3
    Views:
    584
    Whiskers
    Apr 24, 2006
Loading...

Share This Page