Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
2
Replies

Firewall Ping

Joshua Maurer
Level 1
Level 1

‎04-23-2014 11:35 AM - edited ‎03-11-2019 09:06 PM

How do you allow your firewall to ping the internet ?

I have had the network working for over a year but when I try to ping from the firewall to the internet or anything for testing it just give me ?????. I am assuming it is a acl issue. I have access-list 101 extended permit icmp any any on the first line. That should allow the access correct?

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-23-2014 11:54 AM

Nothing special (access-list or traffic inspection) is required to allow pings generated by the firewall itself.

If you want the firewall to respond to pings you need to allow that explicitly and turn on icmp inspection.

If you want to pass traceroute through and properly decrement the TTL so the firewall shows up in the trace you need to inspect icmp and make some other modifications as well.

0 Helpful

joseoroz
Cisco Employee
Cisco Employee

‎04-23-2014 08:04 PM

When you test what is the IP that you are trying to ping? Also are you connected directly to your ISP on the public interface or is there any other device with the capability of blocking ICMP request or replies.

You can setup a capture on the external interface and if you see that the packet is captured most likely the block is outside your device.

EX capture interface outside match icmp host (public ip of the firewall) host 4.2.2.2

FYI icmp inspection is required for traffic that traverses the firewall. Since the traffic is started on the public interface to the internet this command is not required.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card