Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
5
Helpful
4
Replies

No ICMP Echo Reply

whynot108
Level 1
Level 1

‎02-15-2005 11:35 AM - edited ‎03-09-2019 10:20 AM

I am new to PIX firewall. I tried to ping the PIX inside interface (e.g. 192.168.21.1) from a host (e.g 192.168.25.2) directly connecting to the PIX outside interface (e.g. 192.168.25.1), but got "timeout". The debug icmp on the PIX showed the icmp request from 192.168.25.2 to 192.168.21.1 received, but no reply. What's wrong? Thanks!

Labels:
0 Helpful
4 Replies 4

ddawson
Level 1
Level 1

‎02-15-2005 11:48 AM

The PIX doesn't allow you to ping any PIX interface other than the one you're closest to. This isn't a bug - it's just the way the PIX works. You can, however, ping other devices beyond the PIX, as long as your PIX configuration allows it.

0 Helpful

whynot108
Level 1
Level 1
In response to ddawson

‎02-15-2005 12:46 PM

Thanks!

The connection as follows:

192.168.25.2 <--> outside PIX inside <--> 192.168.24.2

access-list acl-out permit icmp any any

access-group acl-out in interface outside

However 192.168.25.2 fails to ping 192.168.24.2. But on PIX terminal I can ping both 192.168.25.2 and 192.168.24.2.

Any advice? Thanks!

0 Helpful

ddawson
Level 1
Level 1
In response to whynot108

‎02-15-2005 04:20 PM

A good rule of thumb to remember is that if you want to allow traffic initiated from an outside host to get to an inside host, then you usually need an access-list entry that allows it (which you have) and a "static" command that defines a static NAT translation for the inside host (which you don't have). That static can be a one-to-one NAT assignment, or, in cases where you don't want to actually do any NAT, it can NAT an address (or an entire network) to itself, like this:

static (inside,outside) 192.168.24.0 192.168.24.0 netmask 255.255.255.0

As long as you have a static command that includes the host you want to get to, along with an ACL entry that permits the traffic, things should work.

HTH

Patrick Iseli
Level 7
Level 7
In response to ddawson

‎02-15-2005 05:49 PM

ICMP is indeed not a stateful protocol to ping the same interface that you are connected to you need to add the "icmp" command for that IP address, and if you want to ping through the PIX lets say from the inside interface to a host on the Internet you need an Access-list.

Source:

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Access-List example

Traceroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host 209.165.200.246 unreachable

access-list 101 permit icmp any host 209.165.200.246 time-exceeded

access-list 101 permit icmp any host 209.165.200.246 echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host 209.165.200.246 unreachable

access-list 101 permit icmp any host 209.165.200.246 time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents