ping ?!?

[iiiiss]

HI

This may sound stupid but I don´t get it..

I am using PAT for the translation of the internal ip-addreses and when I try to ping outside it is not possible untile I define an access-list such as "access-l name permit ip h XXX h XXX"

Then the pinning is ok ......

why do i need such an access-list ? because of the PAT ?

When I would use NAT do I need this access-list too ?

And .. would is it possible for more than one internal client to go outside when I just define one single IP-address for Nat (global (oustide) 1 xxx.xxx.xxx netmask 255.255.255.248) ??

Please explain it to me !

Thanks

 

[sunyasee]

With ICMP (ping) you need to open up an access-list to allow the return or answering ping back through the Pix.

You should use PAT if you want to allow multiple users to share one global address. An example of PAT is as follows.

global (outside) 1 x.x.x.x

You can also let inside machines share the PIX outside interface address to save another global IP...

global (outside) 1 interface
----

Sunyasee B-)

 

[iiiiss]

Thanks for the response

 

[yizhar]

HI.

The pix does stateful inspection for TCP and UDP, so for these protocols the return traffic is permitted by the stateful inspection and you do not need to do anything for it.

But for ICMP this is different - the pix does not work stateful for this protocol and this is the reason that you need to permit the return traffic if you want to allow it.

It is best to allow only the minimum ICMP types that you need, here is an example:

access-list fromoutside permit icmp any any echo-reply
access-list fromoutside permit icmp any any unreachable
access-list fromoutside permit icmp any any time-exceeded
access-group fromoutside in interface outside

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar