Yep - that conduit would do for the DMZ. You've also got to remember that the Pix 'always' translates, so you've got to have some form of translation from DMZ to inside. Sounds like you must have had the translation from outside to inside for the outgoing ping to work. At a minimum fro the DMZ you would need:
static (inside,DMZ1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0 where 10.10.10.0 is your inside network. This is telling it to translate 10.10.10.0 addresses to 10.10.10.0 (basically it just passes it through untranslated from DMZ to inside). Of course you may have been using Global and Nat statements. In which case you need a global statement on the DMZ interface to match up with the NAT on the inside interface. Regards, Gaz ""Karagozian Sarkis"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi Gaz, > > Thanks for yr the explanations. (I am refering to MCNS Man.p.5-41) > So infact it should be: conduit permit icmp any any echo-reply > for allowing icmp replys back in from ouside or dmz. > > Also why then Iwas able for example: ping outside 4.22.122.10 > But, Not able to ping dmz 199.16.1.3 (unless the dmz intfc. was shut) > > So inorder to be able to ping the dmz intfc 192.168.6.3 I need a conduit > command like : conduit permit icmp host 192.168.6.3 any > > Can you explain or correct me on this??? > Thanks. > Sarkis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47242&t=47193 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
