01-14-2008 01:46 AM - edited 03-11-2019 04:47 AM
Hi All,
I'm a Cisco Newbie. We recently had a PIX 515e installed.
Since the install I can now no longer Ping from my local workstation to the outside world, nor can I perform a tracert.
I have permitted icmp from any to any and still nothing.
Any advice would be greatly appreciated.
Thanks in advance
Stephen
I can however ping the outside world from my firewall ssh session.
01-14-2008 02:58 AM
Hi,
Have you implemented NAT?
For information view: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html
I hope this helps.
Best regards.
Massimiliano.
01-17-2008 11:21 AM
I had the same problem on ASA boxes. I solved this by enabling inspection on the ICMP & ICMP Error.
\Lars
01-17-2008 11:50 AM
Stephen, please refer to this link to understand how ICMP and trace route is handle by PIX and ASA , configure security applience accordingly to be able to conduct icmp and trace from inside out.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Rgds
Jorge
01-17-2008 03:56 PM
Thanks all. I managed to fix it by using
⢠access-list ping_acl permit ip any any
⢠access-group ping_acl in interface outside
01-17-2008 04:31 PM
"permit ip any any" negates your firewall entirely. you may have 'fixed' icmp, but you 'broke' your firewall. Please read the aforementioned links immediately to remedy this.
If you told us what version OS you have we might be able to suggest something specific.
You could also delete your current ACL and just allow "icmp any any echo-reply"
In addition to gorge's link, also read this one on traceroute: http://www.cisco.com/warp/public/105/traceroute.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide