No, though the PIX allow traffic from a higher security interface to a lower one, you cannot ping the dmz interface from the inside interface successfully because the echo-reply (response from the dmz interface) will be disallowed from entering the inside interface, so you will end up having time-outs.
The only way to have a successful pinging is to implete the permit icmp any any command. The ping failed not becaused it did not get to the dmz interface, but because the PIX Adaptive Security Algorithm(ASA) disallow the response from coming back to you. The only way to go about it is to use the conduit or access-list command to create and exception for the ASA, so that it can allow the returned ping response. PIX#Conduit permit icmp any any 0.02 cents Regards. Oletu ----- Original Message ----- From: cage To: Sent: Saturday, January 26, 2002 5:08 PM Subject: about the ping in pix ? [7:33333] > Is it true :"Traffic is ALWAYS allowed between from a higher security > interface to a lower security interface without doing anything special?" > If it is true,can I ping from the inside or dmz to outside without the > configuring of the access-list icmp any any? _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33339&t=33333 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
