Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbi needs help - Pix 501 and Ping

Status
Not open for further replies.
StaffanC

StaffanC

Technical User
Nov 19, 2003
3
0
0
SE
Hi there folks!

I'm new to firewalls. Bougth a Pix 501 ( FOS 6.3(1) and PDM 3.0) an eminent book on the actual hardware. Recommended reading by this forum, actually.

I've got the firewall up and running behind my home ADSL internet connection. I can browse the web without any problems at all. But, as always, I get stuck on trivialities!

When I try to ping the office Netgear Router (OK I will replace it with the PIX in due time) the PIX won't let the ping through (I dont even know if it will let the PING out in the first place either).

I've tried (using the PDM) to enable ICMP on the inside/outside interface. I've tried to make an ACL etc.

Please, help me out here. In my opinion, the PIX should let it through since I'm initiating from the inside? I'm sure this is basics but never the less it's ruining my day!

Look forward to takeing part of your ideas.

Kind regards,

Staffan Carlsson

 
Sort by date Sort by votes
HI.

> Please, help me out here. In my opinion, the PIX should let it through since I'm initiating from the inside?
You're logic is good, but the pix implementation of ICMP does not work like TCP so it is not working the same way.

What devices do you have between your PIX and the ISP?
Modem/Router? is it doing NAT also?
Can you ping the modem/router?
Can you ping your ISP DNS server?
Post the pix config (see the FAQ for guidelines).

> I've tried (using the PDM) to enable ICMP on the inside/outside interface
You should use "Access Rules", the first page in PDM, to enable ICMP **via** the pix. Enabling ICMP on the interfaces is only for pinging the pix own interfaces.

More info:

PIX Links:

Software Samples and Tips:

Handling ICMP Pings with the PIX Firewall:



Yizhar Hurwitz
 
Upvote 0 Downvote
Note:

The last link (Handling ICMP Pings with the PIX Firewall) is an old one using the obsolute "conduit" command.
However it also includes the newer "access-list" command.

You should use access-list commands, for example:

access-list fromoutside permit icmp any any eq echo-reply
access-group fromoutside in interface outside

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Dear Yizhar,

Many thanks for your interest and suggestions for icmp configuration. After having read some additional chapters in my Cisco Pix Firewalls book, by Richard Deal, I found a similar solution to the problem as the one you suggested in your emminent answer.

Once again, many thanks for you time and trouble.

Cheers,

Staffan Carlsson
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
154
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
114
nnaarrnn
nnaarrnn
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
45
tklamb
tklamb
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
86
Nitta84
Nitta84

Part and Inventory Search

Sponsor

Back
Top