Traffic originating from the inside interface (outbound connections) are
allowed by default so an access-list on the inside interface isn't necessary
in
this case. Here's an excerp from the 5.1 manual:
Outbound connections or states are allowed, except those specifically denied
by
access control lists. An outbound connection is one where the originator or
client is on a higher security interface than the receiver or server. The
highest security interface is always the inside interface and the lowest is
the
outside interface. Any perimeter interfaces can have security levels between
the inside and outside values.
The URL this was taken from is: http:
//www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/intro.htm
The access-list in the config. only speaks to PINGs not replies. Try adding
the following to the list:
access-list 100 permit icmp any any echo-reply
HTH
Darren
At 01:35 PM 05/17/2001 -0400, Allen May wrote:
>You need an access-list for the inside interface to allow icmp. I noticed
>you have access list 100 bound to outside so that will allow incoming pings.
>You need one like it for inside.
>
>Allen May
>
>----- Original Message -----
>From: "Mike Peterson"
>To:
>Sent: Thursday, May 17, 2001 11:21 AM
>Subject: Need some help with ping on PIX [7:4859]
>
>
>> Hi, I am trying to allow ping through my PIX firewall , from any
>> workstation on my inside network to any workstation outside the firewall
>> .I also cannot ping my internet router.This is just a simulated network.
>> PC1-------|172.31.2.100
>> 209.165.201.3 209.165.201.1
>> |----------------PIX---------------------------------------RTR-----Int.
>> CloudPC2-------| I am missing something for sure, so would please let me
>> know what I am missing.Thanks, Mike pixfirewall# wr t
>> Building configuration...
>> : Saved
>> :
>> PIX Version 5.1(4)
>> nameif ethernet0 outside security0
>> nameif ethernet1 inside security100
>> nameif ethernet2 pix/intf2 security10
>> nameif ethernet3 pix/intf3 security15
>> enable password 8Ry2YjIyt7RRXU24 encrypted
>> passwd 2KFQnbNIdI.2KYOU encrypted
>> hostname pixfirewall
>> fixup protocol ftp 21
>> fixup protocol http 80
>> fixup protocol h323 1720
>> fixup protocol rsh 514
>> fixup protocol smtp 25
>> fixup protocol sqlnet 1521
>> names
>> access-list 100 permit icmp any any echo
>> pager lines 24
>> logging on
>> no logging timestamp
>> no logging standby
>> no logging console
>> no logging monitor
>> logging buffered debugging
>> no logging trap
>> no logging history
>> logging facility 20
>> logging queue 512
>> interface ethernet0 auto
>> interface ethernet1 auto
>> interface ethernet2 auto shutdown
>> interface ethernet3 auto shutdown
>> mtu outside 1500
>> mtu inside 1500
>> mtu pix/intf2 1500
>> mtu pix/intf3 1500
>> ip address outside 209.165.201.3 255.255.255.224
>> ip address inside 172.31.2.100 255.255.255.0
>> ip address pix/intf2 127.0.0.1 255.255.255.255
>> ip address pix/intf3 127.0.0.1 255.255.255.255
>> no failover
>> failover timeout 0:00:00
>> failover ip address outside 0.0.0.0
>> failover ip address inside 0.0.0.0
>> failover ip address pix/intf2 0.0.0.0
>> failover ip address pix/intf3 0.0.0.0
>> arp timeout 14400
>> nat (inside) 0 172.31.2.0 255.255.255.0 0 0
>> static (inside,outside) 209.165.201.3 172.31.2.100 netmask
>> 255.255.255.255 0 0
>> access-group 100 in interface outside
>> rip inside default version 1
>> route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
>> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
>> timeout rpc 0:10:00 h323 0:05:00
>> timeout uauth 0:05:00 absolute
>> aaa-server TACACS+ protocol tacacs+
>> aaa-server RADIUS protocol radius
>> no snmp-server location
>> no snmp-server contact
>> snmp-server community public
>> no snmp-server enable traps
>> floodguard enable
>> isakmp identity hostname
>> telnet timeout 5
>> terminal width 80
>> Cryptochecksum:2012a7889adc85895d9db997c1ca0878
>> : end
>> [OK]
>> pixfirewall#
>>
>> ------------------------------------------------------------------------
>>
>> Get your FREE download of MSN Explorer at http://explorer.msn.com
>> FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
****************************************************************************
***********************************
Darren S. Crawford
Lucent Technologies Worldwide Services
2377 Gold Meadow Way Phone: (916) 859-5200 x310
Suite 230 Fax: (916) 859-5201
Sacramento, CA 95670 Pager: (800) 467-1467
Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
http://www.lucent.com Network Systems
Consultant - CCNA, CCIE Written
"Providing the Power Operable Networks."
****************************************************************************
***********************************
"Ham and Eggs - A day's work for a chicken; A lifetime commitment
for a
pig."
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4880&t=4859
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
