Re: Firewall [7:55547]
Naomi, Try adding the following lines to your config access-list acl_outside permit icmp any any echo-reply (hitcnt=7515) access-list acl_outside permit icmp any any time-exceeded (hitcnt=911) access-list acl_outside permit icmp any any unreachable (hitcnt=34292) As far as pinging from outside to inside, though, you don't want to do that. And if you are using private addresses on your inside network, you won't be able to ping them from the Internet anyway. Good luck. Robert Edmonds ""Naomi James"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have a PIX 525. I am trying bring it up on my network. It is installed > virtually betrween my router and my ISP's router. While testing, I noticed > that from an inside host, I could ping my inside interface on the PIX, but > not the outside interface. From the ISP, they could ping my outside > interface but not my inside interface. From the PIX I can ping my outside > interface and beyond. > Any suggestions? > > Naomi James > Computer Services and Information Technology > Savannah State University > 912-356-2509 > > [GroupStudy.com removed an attachment of type image/gif which had a name of > Mabelt.gif] > > [GroupStudy.com removed an attachment of type image/gif which had a name of > Mabelb.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=0&t=55547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewall [7:55547]
You have not mentioned any issues though. So I will guess you are somehow unhappy with the default Pix behavior. Did you want to deny all icmp requests? By default, after a certain rev of Pix code, icmp allows are on by default. icmp deny any outside icmp deny any inside Once you place these rules, it will have a 'default deny' afterwards, so if you do icmp permit host 1.2.3.4 inside then... all hosts on the inside except for 1.2.3.4 can ping it. As for allowing people to ping "through" the pix, not sure if a static or anything like that would work (along with an acl). Doesn't seem to make much sense to allow an outsider to ping the inside of a pix anyway. Typically, the theory behind the pix (at least in it's latest incarnation) is that acls generally only apply to traffic traversing THROUGH the pix, not terminating at the pix or any of it's interfaces. For that, you need to find the magic "fudge" command, and in this case, the "icmp" commands are the fudge that determine if icmp will be permitted on the pix's inside or outside addresses. This is all well documented under this URL, assuming code rev 6.2 (you can just go up a tree to find the other revs) http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm > I have a PIX 525. I am trying bring it up on my network. It is installed > virtually betrween my router and my ISP's router. While testing, I noticed > that from an inside host, I could ping my inside interface on the PIX, but > not the outside interface. From the ISP, they could ping my outside > interface but not my inside interface. From the PIX I can ping my outside > interface and beyond. > Any suggestions? > > Naomi James > Computer Services and Information Technology > Savannah State University > 912-356-2509 -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=6&t=55547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall [7:55547]
That is the normal behavior of the PIX. You'll not be able to change it... If you want to test the connectivity through the PIX, do not ping the outside interface of the PIX from the inside, but ping the default gateway of the PIX. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Naomi James Sent: Monday, October 14, 2002 8:19 AM To: [EMAIL PROTECTED] Subject: Firewall [7:55547] I have a PIX 525. I am trying bring it up on my network. It is installed virtually betrween my router and my ISP's router. While testing, I noticed that from an inside host, I could ping my inside interface on the PIX, but not the outside interface. From the ISP, they could ping my outside interface but not my inside interface. From the PIX I can ping my outside interface and beyond. Any suggestions? Naomi James Computer Services and Information Technology Savannah State University 912-356-2509 [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelt.gif] [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelb.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55580&t=55547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall [7:55547]
This is correct. And while you are at it, why not just eliminate pings to the interface once the PIX goes into production for increased security? Just makes it a little little bit harder for the Kiddies. Theo "Lidiya White" Sent by: [EMAIL PROTECTED] 10/15/2002 03:44 AM Please respond to "Lidiya White" To: [EMAIL PROTECTED] cc: Subject: RE: Firewall [7:55547] That is the normal behavior of the PIX. You'll not be able to change it... If you want to test the connectivity through the PIX, do not ping the outside interface of the PIX from the inside, but ping the default gateway of the PIX. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Naomi James Sent: Monday, October 14, 2002 8:19 AM To: [EMAIL PROTECTED] Subject: Firewall [7:55547] I have a PIX 525. I am trying bring it up on my network. It is installed virtually betrween my router and my ISP's router. While testing, I noticed that from an inside host, I could ping my inside interface on the PIX, but not the outside interface. From the ISP, they could ping my outside interface but not my inside interface. From the PIX I can ping my outside interface and beyond. Any suggestions? Naomi James Computer Services and Information Technology Savannah State University 912-356-2509 [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelt.gif] [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelb.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55595&t=55547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]