I didn't see a clear explanation regarding this icmp behavior on the PIX on CCO. But I do know for sure that there is not workaround for this. I guess you can just call it a "security feature" :-).
-- Lidiya White -----Original Message----- From: dk [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 2:17 AM To: Lidiya White Cc: [EMAIL PROTECTED] Subject: Re: PIX problem [7:40928] Could you explain why this is the case? You can do it with a router !! :-) ----- Original Message ----- From: "Lidiya White" To: Sent: Tuesday, April 09, 2002 11:53 PM Subject: RE: PIX problem [7:40928] > You'll never be able to ping interface of the PIX that is not directly > connected to you (like in your case). Not access-list, not icmp commands > can enable that 'feature'. > > > -- Lidiya White > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > dk > Sent: Tuesday, April 09, 2002 10:14 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX problem [7:40928] > > Thanks for the input, I have allowed the required icmp access ... > > To try and clarify ... > > I'm trying to ping the pix interface E1 (ip address 10.222.62.1) through > pix > interface E0 (ip address 10.222.33.1) from my workstation (ip address > 10.222.32.100) I can successfully ping the PIX E0 interface and any > devices > on the 10.222.62.0 network going through the PIX E1 interface. but when > I > try to ping the PIX E1 interface itself I get no response no error is > logged > and the conduit hitcount is not incremented. > > Is it a feature? > > > > > > > ----- Original Message ----- > From: "HORVATH TAMAS" > To: > Sent: Tuesday, April 09, 2002 4:04 PM > Subject: Re: PIX problem [7:40928] > > > > Hi! > > > > See http://www.cisco.com/warp/customer/110/31.html > > > > > > According to this document "Inbound ICMP through the PIX is denied by > > default; outbound ICMP is permitted, but the incoming reply is denied > by > > default." So you can ping every PIX interface from the PIX and from > the > > directly connected LAN, but can't ping through the pix. > > > > I think you should not ping through the PIX default, just from the PIX > (from > > Telnet console). > > > > According to this document: "In PIX Software versions 4.1(6) until > 5.2.1, > > ICMP traffic to the PIX's own interface is permitted; the PIX cannot > be > > configured to not respond. Beginning in PIX Software version 5.2.1, > ICMP > is > > still permitted by default, but PIX ping responses from its own > interfaces > > can be disabled with the icmp command (that is, a "stealth PIX")" > > > > > > By, HT Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41099&t=40928 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
