Hi Pierre, For you to be able to ping from one interface (eg inside) to another interface (eg outside) or the other way roung, you must use ACCESS-LIST and ACCESS-GROUP command to define and apply this feature.
Looking at your config, though you defined an access-list quite okay, but you did not apply the access to any interface, in essence the access-list is not in effect. Apply you defined access-list to the desire interface eg 1. access-group acl_ping in interface inside Would allow any inside user to be able to ping outside. 2. access-group acl_ping in interface outsied Would allow any outside user to be able to ping inside. Your implementation of any depends on the security policy o your client. My 0.2 Oletu ----- Original Message ----- From: Pierre-Alex Guanel To: Sent: Monday, December 10, 2001 12:23 PM Subject: PIX Configuration [7:28631] > From a client (inside) I can ping the inside interface of the PIX . > > From a client (outside) I can ping the outside interface of the PIX. > > However no (inside) client manages to ping or do any sort of traffic with > hosts outside the PIX. > > Do you spot where my problem is? > > Thank you!!! > > BTECHPIX# sh config > : Saved > : > PIX Version 5.1(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password encrypted > passwd encrypted > hostname BTECHPIX > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > names > access-list acl_ping permit icmp any any > pager lines 24 > logging on > no logging timestamp > no logging standby > no logging console > no logging monitor > no logging buffered > no logging trap > no logging history > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 209.152.115.123 255.255.255.0 > ip address inside 192.168.3.1 255.255.255.0 > no failover > failover timeout 0:00:00 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > arp timeout 14400 > global (outside) 1 209.152.115.125 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > route outside 0.0.0.0 0.0.0.0 209.152.115.1 1 > timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > timeout rpc 0:10:00 h323 0:05:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > isakmp identity hostname > ......... _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28784&t=28631 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]