05-13-2010 06:17 AM - edited 03-11-2019 10:45 AM
I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?
access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
access-group 101 in interface outside
Solved! Go to Solution.
05-13-2010 06:45 AM
iketurner931 wrote:
I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?
access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
access-group 101 in interface outside
An acl allows ping through the firewall not to the firewall.
You need this instead -
icmp permit 76.x.x.x 255.255.255.192 echo-reply outside
however by default an ASA should respond to ping on it's interfaces anyway so you need to check your config.
Note also that you cannot ping across the ASA to an interface so if you are outside you can ping the outside interface but not any of the others.
Jon
05-13-2010 07:08 AM
iketurner931 wrote:
Thanks Jon,
Are you saying that the Pix by default will not respond to pings but the ASA will?
No, the pix should respond by default to pings as well.
Jon
05-13-2010 06:45 AM
iketurner931 wrote:
I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?
access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
access-group 101 in interface outside
An acl allows ping through the firewall not to the firewall.
You need this instead -
icmp permit 76.x.x.x 255.255.255.192 echo-reply outside
however by default an ASA should respond to ping on it's interfaces anyway so you need to check your config.
Note also that you cannot ping across the ASA to an interface so if you are outside you can ping the outside interface but not any of the others.
Jon
05-13-2010 06:59 AM
Thanks Jon,
Are you saying that the Pix by default will not respond to pings but the ASA will?
05-13-2010 07:08 AM
iketurner931 wrote:
Thanks Jon,
Are you saying that the Pix by default will not respond to pings but the ASA will?
No, the pix should respond by default to pings as well.
Jon
05-13-2010 07:14 AM
Ok Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide