Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
3
Helpful
3
Replies

Ping outside

Go to solution
michal.grzelak
Level 1
Level 1

‎02-13-2008 03:29 PM - edited ‎03-11-2019 05:02 AM

Hi,

I am trying to figure it out for an hour or two now and can't.

In any documentation I found, it states that Cisco PIX does not replay to ping on outside interface and to enable it, a ACL must be created and attached to outside interface.

Problem is that, I don;t have any ACL and can ping from router - outside interface of PIX. When I am adding ACL deny icmp any any and deny ip any any it still works and ACL counters do not increase.

Config is default, I tried that on PIX 501 and 506E. What can allow ping on outside interface.

ip address outside 10.1.3.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list 10 deny icmp any any log

access-group 10 in interface outside

Thank.

Michal

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jojuarez
Level 1
Level 1

‎02-13-2008 07:42 PM

Hi Michal,

Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.

The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.

Btw, icmp is permitted to the outside interface by default

View solution in original post

0 Helpful
3 Replies 3

Go to solution
abinjola
Cisco Employee
Cisco Employee

‎02-13-2008 03:47 PM

Michal..access-list is for transit traffic not for traffic destined on interface...

add this...icmp deny any outside

see if it works

Go to solution
jojuarez
Level 1
Level 1

‎02-13-2008 07:42 PM

Hi Michal,

Cisco documentation DOES provide this information. ACLs are for traffic through the firewall not to the firewall.

The command you need is "icmp deny any outside" (if outside interface's name is 'outside', otherwise, you should use that name). Here's the document:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i1_72.html#wp1631466

This would be the same for SSH or telnet. If you want to allow SSH access to the firewall, an ACL won't have any effect. You need to use the "ssh" command.

Btw, icmp is permitted to the outside interface by default

0 Helpful

Go to solution
michal.grzelak
Level 1
Level 1
In response to jojuarez

‎02-14-2008 12:09 AM

Hi,

Thanks for clearing this up. It works now.

Michal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card