Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
3
Replies

Basic PIX Interface Question

daniel.bowen
Level 1
Level 1

‎10-04-2005 05:23 AM - edited ‎02-21-2020 12:26 AM

Hi Everyone,

My understanding of a general PIX config is to have the inside interface connected to your LAN and the outside interface connected to the "Internet". Now I have configured the NAT to translate my internat 192.168.x.x address to my routable address on the outside interface with the commands global(outside)X.X.X.X and NAT(inside)192.168.X.X and this all works fine. I have an access-list on my inside interface which permits icmp from any to any. My question is, how do I permit the reply to my pings through my outside interface? If I do not have an ACL on my outside interface permitting ICMP I cannot ping across from the inside to the outside - but I thought an ACL on my outside interface was a bad idea?

Any help would be great if you can understand my poor question!

Many thanks,

Dan

0 Helpful
3 Replies 3

rais.ahmad
Level 1
Level 1

‎10-04-2005 05:34 AM

There is another command 'icmp permit' on the pix to take care of outside ICMPs.

Thanks.

0 Helpful

jackko
Level 7
Level 7

‎10-04-2005 07:44 AM

if there is no acl applied on the inside interface, you don't need to apply "permit icmp any any". it is because the pix by default will allow all outgoing traffic.

to permit echo reply,

access-list acl_out permit icmp any any echo-reply

access-group acl_out interface outside

apply an acl on the outside interface is not a bad idea. it's totally depends on the business requirements.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to jackko

‎10-04-2005 07:58 AM

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list.

If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

access-group 101 in interface outside

UNIX:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-group 101 in interface outside

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card