Re: ping pix inside port is't success

wanglei · ‎10-31-2005

my server(host) connect to pix inside port directly,it can't ping pix success.

there is no host firewall on server.

when i in pix monitor mode .from pix can ping server successful.

how can i resolve this problem?

jackko · ‎10-31-2005

just wondering if the inside interface is in "shutdown" status.

all interfaces will be in "shutdown" status after performing "write erase".

to verify, do "sh int"

e.g.

interface ethernet1 "inside" is administratively down, line protocol is up

wanglei · ‎10-31-2005

i wonder what different between clear configure and write erase.if they have same result.

thank you for help!

Patrick Iseli · ‎10-31-2005

If you want to ping the same interface that you are physicly connected, as your server to the PIX, then you need to configure the "icmp" command.

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list.

example:

See: Handling ICMP Pings with the PIX Firewall

The PIX and the traceroute Command

examples:

Traveroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick