https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909912#M958523 <HTML><HEAD></HEAD><BODY><P>Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?</P><P></P><P>Thanks for your help!</P></BODY></HTML> Mon, 17 Dec 2007 12:45:59 GMT homeboarder8 2007-12-17T12:45:59Z https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909910#M958514 <P>I have a Web/DNS server behind a PIX firewall. I cannot ping it. What access-list do I need to allow ping traffic through? Or is it even nessesary to allow pings, could that be a security risk for things such as DOS?</P> Wed, 13 Mar 2019 00:51:35 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909910#M958514 homeboarder8 2019-03-13T00:51:35Z https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909911#M958519 <HTML><HEAD></HEAD><BODY><P>Hi Austin</P><P> Try this</P><P></P><P>policy-map global_policy </P><P>class inspection_default </P><P>inspect icmp </P><P></P><P> You better leave icmp enabled for connectivity test purposes. When you finish testing, disable it for avoiding possible ping flood attacks.</P><P></P><P>Regards </P><P></P></BODY></HTML> Mon, 17 Dec 2007 12:37:57 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909911#M958519 Alan Huseyin Kayahan 2007-12-17T12:37:57Z https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909912#M958523 <HTML><HEAD></HEAD><BODY><P>Okay just to make sure I understand you... The three lines above is just for testing, or should I create an access-list to allow ICMP traffic for testing? Once I enter in those three lines will my server be vonerable to DOS attacks?</P><P></P><P>Thanks for your help!</P></BODY></HTML> Mon, 17 Dec 2007 12:45:59 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909912#M958523 homeboarder8 2007-12-17T12:45:59Z https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909913#M958530 <HTML><HEAD></HEAD><BODY><P>When you enter above lines in their respective order in configure terminal mode in CLI, ICMP will be allowed without a need of ACL. When you finish your test disallow by typing</P><P></P><P>policy-map global_policy </P><P>class inspection_default </P><P>no inspect icmp </P><P></P></BODY></HTML> Mon, 17 Dec 2007 13:03:58 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909913#M958530 Alan Huseyin Kayahan 2007-12-17T13:03:58Z https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909914#M958535 <HTML><HEAD></HEAD><BODY><P>Okay one thing I'm not sure if this makes a difference but I am using a PIX 501, and I'm not farmiliar with the policy-map... are those valid commands for a 501?</P><P></P><P>Thanks!</P></BODY></HTML> Mon, 17 Dec 2007 13:12:18 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909914#M958535 homeboarder8 2007-12-17T13:12:18Z https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909915#M958539 <HTML><HEAD></HEAD><BODY><P>Hmm if doesnt work you can try this</P><P></P><P>icmp permit any dmz</P><P>icmp permit any inside</P><P></P><P>or fixup protocol icmp</P><P></P><P>if it doesnt work also, write ACLs as</P><P></P><P>access-list dmzrulenamehere permit icmp any any</P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 17 Dec 2007 13:41:04 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-behind-pix/m-p/909915#M958539 Alan Huseyin Kayahan 2007-12-17T13:41:04Z