06-26-2011 06:18 AM - edited 03-11-2019 01:50 PM
I can establish FTP and HTTP connection from inside (sec level 100) to polling (sec level 70)
I attempted to enable icmp echo reply from pc to server.
Well I failed...packet tracer showed fine... all phases allowed... but my pc simply cannot get a ping reply from the server...
pc can ping to inside interface but cannot ping to polling interface...
btw... i have added a line in inspection_default
inspect icmp
i should be able to ping to lower sec level since icmp is inspected.. but still i cannot ping to server in sec level 70... what have i done wrong?
thanks.
Solved! Go to Solution.
06-26-2011 06:34 AM
Hey,
From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).
Add a icmp-object echo in the object-group icmp-type and test.
Hope this helps.
Regards,
Adtiya
06-26-2011 06:34 AM
Hey,
From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).
Add a icmp-object echo in the object-group icmp-type and test.
Hope this helps.
Regards,
Adtiya
06-26-2011 06:45 AM
Hi Adtiya,
I got it working and you are right
what i did not test is the echo using packet-tracer, when i tested the echo it was dropped by implicit deny from the inside.
Cyrus
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: