I'm not able to ping to PIX DMZ interface which is configured with public ip address from the inside LAN.

Can anyone help me in resolving this issue


If you whant to ping ip address on dmz or outside through pix firewall you should make access-list to allow or permit icmp protocol from LAN to DMZ.


My PIX DMZ ip address is and i'm pinging from other vlan which is this is connected to inside interface of pix. Do i need to configure static commands. Access-lists i have permitted everything on both inside and DMZ.Pls send me the commands which need to be configured.


I will giv you an example

if dmz have ip address and host on dmz have

if LAN ip address is

and host on LAN have

you should make access-list on inside interface to permit icmp

access-list test permit icmp any any

access-groupe test in interface inside


access-list test permit icmp host host

access-groupe test in interface inside

I will not prefer counduit command.

If you have used just access-list permit ip any any it dos not allow icmp

The same configuration i had done on my firewall. I'm able to ping to the host( which is using DMZ interface as gateway but not to DMZ interface( from


you can not ping interface on pix firewall if you are not connected directely on that interface like if you are on lan you can ping inside interface if you are on dmz you can ping dmz interface but not from host on lan to dmz interface or outside interface.

I am talking if you use windows OS I did not try with linux.

Hi. I am a linux user, and i have configured DMZ very similar to the way you are explaining here. As for your comment that you tried from a Windows machine, the OS is not of any relevance when the access permits are being set up with an access-list on the pix. The protocol to send icmp messages will be same, it depends entirely on the pix wether it's configured to allow or deny this kind of traffic.

Thanx alvares

As I can see udaya did permits for icmp on access-lists but it is another thing that hi can not ping on different interface like from PC on LAN to DMZ interface.

The PIX firewall has a feature that block pings from host on LAN to DMZ or Outside interface or DMZ host to LAN interface, this feature is created to prevent PIX form DOS attack, Ping Flood etc.

Is it possible to enable ping from inside LAN network to DMZ ip address by applying access-list

