Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ping from PIX

Status
Not open for further replies.
sghezzi

sghezzi

Technical User
Apr 7, 2003
56
DE
Hello,

I have PIX 525 with OS 6.1. I cannot ping from PIX itself to anything outside, even if I have outgoing access-list that allows all ICMP, and inbound access-list that allows ICMP echo-reply and destination-unreachable.

I always get this answer:
mebfirewall(config)# ping 213.157.198.250
213.157.198.250 NO response received -- 1000ms
213.157.198.250 NO response received -- 1000ms
213.157.198.250 NO response received -- 1000ms

does someone know why?

Thanks
Silvia
 
Sort by date Sort by votes
ping (outsideinterfacename) 213.157.198.250

Then try it.
 
Upvote 0 Downvote
sorry, it still doesn't work?
still no response received.
any other idea?
 
Upvote 0 Downvote
Can you ping this address from inside the firewall? Can you ping ANY site ( from within the firewall? If you can ping from within your firewall then try that site from your firewall. After these basic steps and if you can't ping then post your config.

If you have the line...

icmp deny any outside

then you will not recieve any icmp packets. ACL's don't come into play when you are pinging from the PIX itself, only when traffic is being passed through it.

i just tried these settings on my pix and it worked exactly like that. if I have icmp deny any outside then I can't ping my ISP router from the pix but I can from my workstation inside. When I do a no icmp deny any outside then I can ping my ISP router. I removed my access-list inbound for allowing echo-reply and was still able to ping my ISP router from the PIX but not from my workstation.
 
Upvote 0 Downvote
damnt!!! You are definetely right!
I thought that the icmp command on PIX regarded ICMP from OUTSIDE not from PIX to outside!!!
What happens then if I remove the icmp deny any outside?
Can everybody ping PIX from outside?
Or in this case the ALs plys its role?

 
Upvote 0 Downvote
Remember, the ICMP packets are not being blocked going out, the echo-reply packets are being dropped upon their return. So you are in fact pinging out and getting a reply but this statement is doing its job and dropping them.

If you remove the deny icmp any outside statement then the pix itself is wide open to any ICMP packets. You can specify the ICMP type that is permitted. So if you have to be able to ping from the pix you may want your icmp statement to be

icmp permit any echo-reply outside

However, I am unsure whether this works like an ACL where there is an implicit deny any. I will have to try that one to find out.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
248
hairlessupportmonkey
hairlessupportmonkey
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
130
Garbear
Garbear
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
103
quazimotto
quazimotto
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
119
xwray
xwray
sabin808
  • Locked
  • Question
TZ205 | Unable to ping WAN IP from LOCAL ZONE
Replies
0
Views
104
sabin808
sabin808

Part and Inventory Search

Sponsor

Back
Top