Re: Ping outside

wbartholomew · ‎09-05-2002

I have the following at the top of my inbound access list

permit icmp any any

It's applied inbound in my outside interface, however, I still can't ping anything on the outside........

Report Inappropriate Content · ‎09-05-2002

I am able to ping through my pix but I also have an access-list on the inside interface that looks like this:

permit icmp 1.1.1.0 255.255.255.0 any

This list permits ICMP packets from the inside networks to the outside. If I remember correctly, you must specifically permit ICMP to go from a higher security interface to a lower security interface.

Kevin

Report Inappropriate Content · ‎09-05-2002

I am able to ping through my pix but I also have an access-list on the inside interface that looks like this:

permit icmp 1.1.1.0 255.255.255.0 any

This list permits ICMP packets from the inside networks to the outside. If I remember correctly, you must specifically permit ICMP to go from a higher security interface to a lower security interface.

Kevin

mike-banks · ‎09-05-2002

The key is that you have to allow the echo-reply into the outside interface.

These are the access-list statements I am using;

access-list acl_outside permit icmp any any echo-reply

access-list acl_outside permit icmp any any source-quench

access-list acl_outside permit icmp any any unreachable

access-list acl_outside permit icmp any any time-exceeded

Mike

bs0000554 · ‎09-18-2002

The ASA algoritm from PIX does not treat ICMP protocol as "statefull". You have to open in both directions.

Only for a outside to inside "ping", open ICMP echo from outside and ICMP echo-reply from inside