I think that it may be more secure to just allow echo-reply back to the internal hosts. You can do this with the access-list that is on the outside interface.
Assuming that you want to allow echo-reply back to users who are hidden behind a PAT address (or the hide address in checkpoint parlance) add the following line to your external access-list. access-list From-Internet permit icmp any host 1.1.1.1 echo-reply Change 1.1.1.1 to whatever your PAT address is. This also assume that you don't have any access-list on the inside interface, if you do, modify that to allow outbound echo-request. Hope this helps, C -----Original Message----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 10/09/02 15:30 Subject: RE: Internal Users ping through a PIX [7:52962] You need to use the following global command to enable icmp: icmp permit/deny ....... Here's the link for command reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/ commands.htm#xtocid33 Thanks...............Nabil "I have never let my schooling interfere with my education." Lidiya White cc: Sent by: Subject: RE: Internal Users ping through a PIX [7:52962] nobody@groupstudy .com 09/09/2002 11:31 PM Please respond to Lidiya White The access-list is correct. There is something else that is going on. Use "debug icmp trace" to troubleshoot... How do you test this access-list? What are you trying to ping? -- Lidiya White -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Elijah Savage III Sent: Monday, September 09, 2002 7:33 PM To: [EMAIL PROTECTED] Subject: Internal Users ping through a PIX [7:52962] Ok guys I am on my last leg with this one I seen a ton of examples but can't seem to get it working what am I doing wrong here. All I want is my internal users to be able to ping through the firewall to the net, but external users not be able to ping. Here is the last example I used that does not work. http://www.cisco.com/warp/public/110/single-net.shtml !--- Create an access-list to allow pings out and the return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !--- Apply access-list 100 to the outside interface. access-group 100 in interface outside pixfirewall# sh version Cisco PIX Firewall Version 6.1(3) I appreciate your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53006&t=52962 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]