cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1621
Views
0
Helpful
9
Replies

Not able to ping to PIX DMZ ip address

udayashankarsg
Level 1
Level 1

I'm not able to ping to PIX DMZ interface which is configured with public ip address from the inside LAN.

9 Replies 9

udayashankarsg
Level 1
Level 1

Hi,

Can anyone help me in resolving this issue

Hi

If you whant to ping ip address on dmz or outside through pix firewall you should make access-list to allow or permit icmp protocol from LAN to DMZ.

Hi,

My PIX DMZ ip address is 172.25.12.1 and i'm pinging from other vlan which is 172.25.14.172 this is connected to inside interface of pix. Do i need to configure static commands. Access-lists i have permitted everything on both inside and DMZ.Pls send me the commands which need to be configured.

OK

I will giv you an example

if dmz have ip address 172.25.12.1 and host on dmz have 172.25.12.2

if LAN ip address is 10.0.0.254

and host on LAN have 10.0.0.1

you should make access-list on inside interface to permit icmp

access-list test permit icmp any any

access-groupe test in interface inside

or

access-list test permit icmp host 10.0.0.1 host 172.25.12.1

access-groupe test in interface inside

I will not prefer counduit command.

If you have used just access-list permit ip any any it dos not allow icmp

The same configuration i had done on my firewall. I'm able to ping to the host(172.25.12.73) which is using DMZ interface as gateway but not to DMZ interface(172.25.12.1) from 172.25.14.172

yes

you can not ping interface on pix firewall if you are not connected directely on that interface like if you are on lan you can ping inside interface if you are on dmz you can ping dmz interface but not from host on lan to dmz interface or outside interface.

I am talking if you use windows OS I did not try with linux.

Hi. I am a linux user, and i have configured DMZ very similar to the way you are explaining here. As for your comment that you tried from a Windows machine, the OS is not of any relevance when the access permits are being set up with an access-list on the pix. The protocol to send icmp messages will be same, it depends entirely on the pix wether it's configured to allow or deny this kind of traffic.

Thanx alvares

As I can see udaya did permits for icmp on access-lists but it is another thing that hi can not ping on different interface like from PC on LAN to DMZ interface.

The PIX firewall has a feature that block pings from host on LAN to DMZ or Outside interface or DMZ host to LAN interface, this feature is created to prevent PIX form DOS attack, Ping Flood etc.

Is it possible to enable ping from inside LAN network to DMZ ip address by applying access-list

Review Cisco Networking for a $25 gift card