https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59647#M620394 <HTML><HEAD></HEAD><BODY><P>If your network is as follows " internet--router--hub/switch--pix--hub/switch--workstation " then the pix default gateway should be set to the routers inside interface. If this is so then you should be able to ping the router inside interface from the pix or the work station. You will need a hub or switch or cross-over cable between each device. Are the link lights green on all the interfaces? You will also need to allow echo-reply. Try the command "show interface e0" The first line will tell you if the interface is functioning.</P><P>Ron</P></BODY></HTML> Tue, 09 Jul 2002 20:17:07 GMT rsnider 2002-07-09T20:17:07Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59642#M620389 <P>I've tried just about everything to ping the outside of the pix from a workstation with no success. Here is the recent command tried: </P><P></P><P>permit icmp echo-reply </P><P></P><P>access-list 100 permit icmp any host [external-ip-address] echo </P><P>access-group 100 in interface outside </P><P></P><P> </P> Fri, 21 Feb 2020 06:09:18 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59642#M620389 wsudds 2020-02-21T06:09:18Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59643#M620390 <HTML><HEAD></HEAD><BODY><P>Here's the list you need for ping and trace for an outside address</P><P>access-list 100 permit icmp any any time-exceeded</P><P>access-list 100 permit icmp any any echo-reply</P><P>access-list 100 permit icmp any any unreachable</P><P>access-group 100 in interface outside </P><P>Do you have an access list on the inside interface? If you do you will need to permit icmp there as well.</P><P>Ron</P></BODY></HTML> Tue, 09 Jul 2002 14:48:35 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59643#M620390 rsnider 2002-07-09T14:48:35Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59644#M620391 <HTML><HEAD></HEAD><BODY><P>These are my ip addresses on the devices. </P><P>I've applied the access list you adviced inside and outside, </P><P>still no success. Am I missing something? THX in Advance.</P><P></P><P>192.168.201.1 255.255.255.0-Router</P><P>192.168.200.2</P><P></P><P>192.168.200.1 255.255.255.0-Pix</P><P>192.168.100.2</P><P></P><P>switch</P><P></P><P>192.168.100.100 255.255.255.0- Workstation</P><P></P></BODY></HTML> Tue, 09 Jul 2002 17:22:53 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59644#M620391 wsudds 2002-07-09T17:22:53Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59645#M620392 <HTML><HEAD></HEAD><BODY><P>Are you trying to ping 192.168.200.1or are you trying to ping 192.168.200.2?</P><P>I don't think that you can ping the outside interface from inside, but you should be able to ping the next hop(router). Is your default route set to</P><P> route outside 0.0.0.0 0.0.0.0 192.168.200.2 </P><P>Ron</P></BODY></HTML> Tue, 09 Jul 2002 18:20:58 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59645#M620392 rsnider 2002-07-09T18:20:58Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59646#M620393 <HTML><HEAD></HEAD><BODY><P>I have my route outside set at 192.168.200.1 which is the routers inside interface, that maybe the problem, only thing the pix is not allowing me to change it to 192.168.200.2 which is the pix outside interface. THX Wil</P></BODY></HTML> Tue, 09 Jul 2002 19:15:14 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59646#M620393 wsudds 2002-07-09T19:15:14Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59647#M620394 <HTML><HEAD></HEAD><BODY><P>If your network is as follows " internet--router--hub/switch--pix--hub/switch--workstation " then the pix default gateway should be set to the routers inside interface. If this is so then you should be able to ping the router inside interface from the pix or the work station. You will need a hub or switch or cross-over cable between each device. Are the link lights green on all the interfaces? You will also need to allow echo-reply. Try the command "show interface e0" The first line will tell you if the interface is functioning.</P><P>Ron</P></BODY></HTML> Tue, 09 Jul 2002 20:17:07 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59647#M620394 rsnider 2002-07-09T20:17:07Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59648#M620395 <HTML><HEAD></HEAD><BODY><P>My network is internet--router--crossover cable to pix/switch--workstation.</P><P>THX Wil</P></BODY></HTML> Tue, 09 Jul 2002 20:30:05 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59648#M620395 wsudds 2002-07-09T20:30:05Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59649#M620396 <HTML><HEAD></HEAD><BODY><P>Form a pc on the inside of the pix, you can not ping the outside interface of the pix. </P><P>If you could ping from the pix itself to the outside router, and you want the pc behind the pix to also ping the outside router, you need a NAT and global statement, then you could add an access-list or just do "conduit permit icmp any any" to allow ping from the inside to the outside.</P><P>Here is a link to a good documentation: <A class="jive-link-custom" href="http://www.cisco.com/warp/public/707/28.html#in-out" target="_blank">http://www.cisco.com/warp/public/707/28.html#in-out</A></P><P></P></BODY></HTML> Wed, 10 Jul 2002 00:28:57 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59649#M620396 edadios 2002-07-10T00:28:57Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59650#M620397 <HTML><HEAD></HEAD><BODY><P>Is there a simple config I can paste into the pix just to test connectivity.</P></BODY></HTML> Fri, 12 Jul 2002 14:39:47 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59650#M620397 wsudds 2002-07-12T14:39:47Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59651#M620398 <HTML><HEAD></HEAD><BODY><P>If you have access lists on the inside and outside interfaces, put this command in the outside access list (of course with your access list number)....</P><P>access-list outside permit icmp any any</P><P></P><P>On the inside access list add this line......</P><P>access-list inside permit icmp any any</P><P></P><P>This is going to add these lines to the bottom of your access list, so make sure your not denying icmp any where above it. This will allow all icmp from inside to outside and outside to inside. </P><P></P><P>Hope this helps.....</P></BODY></HTML> Fri, 12 Jul 2002 15:31:05 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59651#M620398 mns0523 2002-07-12T15:31:05Z https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59652#M620399 <HTML><HEAD></HEAD><BODY><P>To ping form insdie to outside network.</P><P>add a route on router for the network behind the pix </P><P>router-&gt;ip route 192.168.100.0 255.255.255.0 192.168.200.1</P><P></P><P>add nat and global and conduit on pix</P><P>pix-&gt; nat (inside) 1 0 0</P><P> global(outside) 1 interface</P><P> conduit permit icmp any any</P><P>And then the ping from inside to outside should work.</P><P>Regards,</P></BODY></HTML> Sat, 13 Jul 2002 01:03:25 GMT https://community.cisco.com/t5/network-security/pinging-through-the-pix/m-p/59652#M620399 edadios 2002-07-13T01:03:25Z