Re: Not able to ping to PIX DMZ ip address

udayashankarsg · ‎12-15-2006

I'm not able to ping to PIX DMZ interface which is configured with public ip address from the inside LAN.

udayashankarsg · ‎12-15-2006

Hi,

Can anyone help me in resolving this issue

arbensy · ‎12-15-2006

Hi

If you whant to ping ip address on dmz or outside through pix firewall you should make access-list to allow or permit icmp protocol from LAN to DMZ.

udayashankarsg · ‎12-15-2006

Hi,

My PIX DMZ ip address is 172.25.12.1 and i'm pinging from other vlan which is 172.25.14.172 this is connected to inside interface of pix. Do i need to configure static commands. Access-lists i have permitted everything on both inside and DMZ.Pls send me the commands which need to be configured.

arbensy · ‎12-15-2006

OK

I will giv you an example

if dmz have ip address 172.25.12.1 and host on dmz have 172.25.12.2

if LAN ip address is 10.0.0.254

and host on LAN have 10.0.0.1

you should make access-list on inside interface to permit icmp

access-list test permit icmp any any

access-groupe test in interface inside

or

access-list test permit icmp host 10.0.0.1 host 172.25.12.1

access-groupe test in interface inside

I will not prefer counduit command.

If you have used just access-list permit ip any any it dos not allow icmp

udayashankarsg · ‎12-15-2006

The same configuration i had done on my firewall. I'm able to ping to the host(172.25.12.73) which is using DMZ interface as gateway but not to DMZ interface(172.25.12.1) from 172.25.14.172

arbensy · ‎12-15-2006

yes

you can not ping interface on pix firewall if you are not connected directely on that interface like if you are on lan you can ping inside interface if you are on dmz you can ping dmz interface but not from host on lan to dmz interface or outside interface.

I am talking if you use windows OS I did not try with linux.

alvarez_rafa · ‎12-16-2006

Hi. I am a linux user, and i have configured DMZ very similar to the way you are explaining here. As for your comment that you tried from a Windows machine, the OS is not of any relevance when the access permits are being set up with an access-list on the pix. The protocol to send icmp messages will be same, it depends entirely on the pix wether it's configured to allow or deny this kind of traffic.

arbensy · ‎12-17-2006

Thanx alvares

As I can see udaya did permits for icmp on access-lists but it is another thing that hi can not ping on different interface like from PC on LAN to DMZ interface.

The PIX firewall has a feature that block pings from host on LAN to DMZ or Outside interface or DMZ host to LAN interface, this feature is created to prevent PIX form DOS attack, Ping Flood etc.

udayashankarsg · ‎12-18-2006

Is it possible to enable ping from inside LAN network to DMZ ip address by applying access-list