https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706513#M1023939 <HTML><HEAD></HEAD><BODY><P>permit icmp any any echo-reply from internet( acl-internet)</P><P>and permit icmp any any echo from inside (acl-inside)</P><P></P><P>That should do it.</P></BODY></HTML> Tue, 06 Mar 2007 19:41:25 GMT vince-tran 2007-03-06T19:41:25Z https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706510#M1023933 <P>Hi all,</P><P></P><P>i am using pix 7.0. I have opened any any access for my users behind the fw, bt none is able to ping public addresses like <A class="jive-link-custom" href="http://www.yahoo.com" target="_blank">www.yahoo.com</A> or ip 66.45.172.7.</P><P>pls see attached show run</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 09:42:31 GMT https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706510#M1023933 bws 2019-03-11T09:42:31Z https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706511#M1023936 <HTML><HEAD></HEAD><BODY><P>please add the command :</P><P></P><P>access-list acl-internet extended permit icmp any any</P><P></P><P></P><P>this is the access-list on outside interface.when you try to ping anything on internet,the icmp echo request reaches that ip address,an icmp echo response is generated which reaches the firewall's outside interface.</P><P></P><P></P><P>as the access-list on outside interface do not permit the icmp,they'll be dropped and that's why u do not get replies on the inside.</P><P></P><P>there's are many icmp commands which you could permit individually.</P><P></P><P>for details,please check:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P></P><P>Hope this helps!!</P><P></P><P>Sushil</P><P>Cisco TAC.</P><P></P><P></P></BODY></HTML> Tue, 06 Mar 2007 15:41:58 GMT https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706511#M1023936 suschoud 2007-03-06T15:41:58Z https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706512#M1023938 <HTML><HEAD></HEAD><BODY><P>Perhaps, you dont even need to use access-lists. With 7.0 code PIX can do stateful inspection of ICMP and track the replies coming from outside and allow them if they match the requests initiated from the inside network. To do so, you can implement following commands-</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp</P><P> inspect icmp error</P><P> exit</P><P> exit</P><P></P><P>Now check if you are able to ping outbound.</P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Tue, 06 Mar 2007 16:06:23 GMT https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706512#M1023938 vitripat 2007-03-06T16:06:23Z https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706513#M1023939 <HTML><HEAD></HEAD><BODY><P>permit icmp any any echo-reply from internet( acl-internet)</P><P>and permit icmp any any echo from inside (acl-inside)</P><P></P><P>That should do it.</P></BODY></HTML> Tue, 06 Mar 2007 19:41:25 GMT https://community.cisco.com/t5/network-security/unable-to-ping-public-address-behind-pix/m-p/706513#M1023939 vince-tran 2007-03-06T19:41:25Z