https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750567#M989296 <HTML><HEAD></HEAD><BODY><P>If you want to ping the outside interface </P><P>then you shuld write this command in configuration mode</P><P>pix(config)#icpm permit any outside</P><P>bye</P></BODY></HTML> Sun, 20 May 2007 08:44:57 GMT emad.silicon 2007-05-20T08:44:57Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750565#M989294 <P>Hi,</P><P>I have a Pix 525 firewall in my lab and i am practicing in it.I have connected two systems to inside and outside interface each.i have configured 172.25.15.1 as inside interface ip address and 172.25.30.1 as outside ip address i want the system wich is connected to inside interface should ping outside interface,i have configured the access-list as </P><P>(access-list 101 permit icmp any any) </P><P> (access-group 101 in interface outside).the inside network is nated to the outside interface but still i am not able to ping the outside interface.please can any one help me in resolving this. </P> Mon, 11 Mar 2019 10:17:06 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750565#M989294 udayashankarsg 2019-03-11T10:17:06Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750566#M989295 <HTML><HEAD></HEAD><BODY><P>Generally inside users wouldn't be able to ping outside interface of the PIX</P><P></P><P>Use the following access-list to solve your problem.</P><P></P><P>access-list 101 permit icmp any any echo-reply</P><P> access-list 101 permit icmp any any source-quench </P><P> access-list 101 permit icmp any any unreachable </P><P> access-list 101 permit icmp any any time-exceeded</P><P> access-group 101 in interface outside</P><P></P><P>or if you are runng 7.X include Inspect ICMP.</P><P></P><P>-Hoogen</P><P>Do rate if this post helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sat, 19 May 2007 16:17:04 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750566#M989295 hoogen_82 2007-05-19T16:17:04Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750567#M989296 <HTML><HEAD></HEAD><BODY><P>If you want to ping the outside interface </P><P>then you shuld write this command in configuration mode</P><P>pix(config)#icpm permit any outside</P><P>bye</P></BODY></HTML> Sun, 20 May 2007 08:44:57 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750567#M989296 emad.silicon 2007-05-20T08:44:57Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750568#M989297 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have tried this and it works but only if you add a entry to the inside interface like this</P><P></P><P>access-list InsideACL permit icmp host 10.0.0.1 any echo</P><P></P><P>otherwise 10.0.0.1 can't ping anything - is this correct ???</P><P></P><P>Thanks</P><P></P><P>Ed</P></BODY></HTML> Fri, 01 Jun 2007 11:34:56 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750568#M989297 edw 2007-06-01T11:34:56Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750569#M989298 <HTML><HEAD></HEAD><BODY><P>According to cisco doc pinging an interface on the far side is not possible. IE trying to ping the outside interface from a host on the inside. With that being said I have seen the same config on 2 different firewalls and one allows it and the other doesn't.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown" target="_blank">http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown</A></P><P></P><P>Chad</P></BODY></HTML> Fri, 01 Jun 2007 17:36:40 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750569#M989298 cpembleton 2007-06-01T17:36:40Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750570#M989299 <HTML><HEAD></HEAD><BODY><P>edw, yes if you have an acl in your inside interface then you would have to allow the traffic as well. </P></BODY></HTML> Fri, 01 Jun 2007 17:41:13 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750570#M989299 acomiskey 2007-06-01T17:41:13Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750571#M989300 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>So to confirm If I have a internal machine say 10.0.0.1 and I want to ping my outside machine say 16.16.16.16.</P><P></P><P>Then to do this from the inside I would need these acls....</P><P></P><P>access-list 101 permit icmp any any echo-reply </P><P>access-list 101 permit icmp any any source-quench </P><P>access-list 101 permit icmp any any unreachable </P><P>access-list 101 permit icmp any any time-exceeded </P><P>access-group 101 in interface outside </P><P></P><P>access-list InsideACL permit icmp host 10.0.0.1 any echo</P><P>access-group InsideACL in interface inside</P><P></P><P>Thanks</P><P></P><P>Ed</P></BODY></HTML> Fri, 01 Jun 2007 23:02:10 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750571#M989300 edw 2007-06-01T23:02:10Z https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750572#M989301 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If I allow inspect ICMP - I still have to add the above entries into the ACL for the traffic to transverse - is this correct? The Cisco ICMP doc is pretty usless as it leads you to believe that this isn't nessacery ?</P><P></P><P>Thanks</P><P></P><P>Ed</P></BODY></HTML> Fri, 28 Mar 2008 10:19:59 GMT https://community.cisco.com/t5/network-security/allowing-icmp/m-p/750572#M989301 edw 2008-03-28T10:19:59Z