topic Nothing special (access-list in Network Security

Firewall Ping

Joshua Maurer — Tue, 12 Mar 2019 04:06:53 GMT

How do you allow your firewall to ping the internet ?

I have had the network working for over a year but when I try to ping from the firewall to the internet or anything for testing it just give me ?????. I am assuming it is a acl issue. I have access-list 101 extended permit icmp any any on the first line. That should allow the access correct?

Nothing special (access-list

Marvin Rhoads — Wed, 23 Apr 2014 18:54:10 GMT

Nothing special (access-list or traffic inspection) is required to allow pings generated by the firewall itself.

If you want the firewall to respond to pings you need to allow that explicitly and turn on icmp inspection.

If you want to pass traceroute through and properly decrement the TTL so the firewall shows up in the trace you need to inspect icmp and make some other modifications as well.

When you test what is the IP

joseoroz — Thu, 24 Apr 2014 03:04:07 GMT

When you test what is the IP that you are trying to ping? Also are you connected directly to your ISP on the public interface or is there any other device with the capability of blocking ICMP request or replies.

You can setup a capture on the external interface and if you see that the packet is captured most likely the block is outside your device.

EX capture interface outside match icmp host (public ip of the firewall) host 4.2.2.2

FYI icmp inspection is required for traffic that traverses the firewall. Since the traffic is started on the public interface to the internet this command is not required.