Re: Pix Firewall Issue
Kevin, The newest Cisco VPN3000 client (I believe that it is 2.6b and should be on CCO within a week or 2) that supports Win2000 will terminate to a PIX running 5.2 (I believe) or newer. I would suggest loading your 515 with the newest code (5.3.1). You should be getting another email from me with the link to the code. Grab the VPN software when available. Tim O'Gilvie"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone know of a vpn client for Windows 2000, I have Cisco Secure but it doesnt run on 2000, I need to implement a vpn solution for my company that will integrate with the PIX 515 that I just purchased.. Regards, Kevin From: "Kenny Sallee" [EMAIL PROTECTED] Reply-To: "Kenny Sallee" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Pix Firewall Issue Date: Wed, 7 Feb 2001 15:55:14 -0800 Actually it's not a good idea to do a 'conduit permit icmp any any'. If you want ping traffic to originate inside then do this: conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply Think about the way ping works - your workstation sends an icmp echo - the end station sends an icmp echo-reply - which from the PIX standpoint is a new inbound packet ( cuz it's stateless ). Therefore - let the echo-reply in only. Not all ICMP messages. Kenny "Daniel Cotts" [EMAIL PROTECTED] wrote in message 303479FA060CD211B893F805A88AA10F4C@EXCHANGE1">news:303479FA060CD211B893F805A88AA10F4C@EXCHANGE1... You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/co n fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Firewall Issue
Does anyone have a link to the VPN3000 Concentrator Win2k beta software? I'm eager to try this out and ditch having to configure both IPSEC/ISAKMP and PPTP each PIX I configure for VPNs. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Tim O'Brien"" [EMAIL PROTECTED] wrote in message 96glc8$lcf$[EMAIL PROTECTED]">news:96glc8$lcf$[EMAIL PROTECTED]... Kevin, The newest Cisco VPN3000 client (I believe that it is 2.6b and should be on CCO within a week or 2) that supports Win2000 will terminate to a PIX running 5.2 (I believe) or newer. I would suggest loading your 515 with the newest code (5.3.1). You should be getting another email from me with the link to the code. Grab the VPN software when available. Tim O'Gilvie"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone know of a vpn client for Windows 2000, I have Cisco Secure but it doesnt run on 2000, I need to implement a vpn solution for my company that will integrate with the PIX 515 that I just purchased.. Regards, Kevin From: "Kenny Sallee" [EMAIL PROTECTED] Reply-To: "Kenny Sallee" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Pix Firewall Issue Date: Wed, 7 Feb 2001 15:55:14 -0800 Actually it's not a good idea to do a 'conduit permit icmp any any'. If you want ping traffic to originate inside then do this: conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply Think about the way ping works - your workstation sends an icmp echo - the end station sends an icmp echo-reply - which from the PIX standpoint is a new inbound packet ( cuz it's stateless ). Therefore - let the echo-reply in only. Not all ICMP messages. Kenny "Daniel Cotts" [EMAIL PROTECTED] wrote in message 303479FA060CD211B893F805A88AA10F4C@EXCHANGE1">news:303479FA060CD211B893F805A88AA10F4C@EXCHANGE1... You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/co n fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Firewall Issue
PPTP: http://www.cisco.com/warp/public/110/pptppix.html Or buy a license for every single Win2k box from IRE (which is where Cisco OEMs their Win9x/NT VPN Client from. I don't know what it takes for the IRE VPN Client to work with the PIX): http://www.soft-pk.com/ -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Kevin O'Gilvie"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone know of a vpn client for Windows 2000, I have Cisco Secure but it doesnt run on 2000, I need to implement a vpn solution for my company that will integrate with the PIX 515 that I just purchased.. Regards, Kevin From: "Kenny Sallee" [EMAIL PROTECTED] Reply-To: "Kenny Sallee" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Pix Firewall Issue Date: Wed, 7 Feb 2001 15:55:14 -0800 Actually it's not a good idea to do a 'conduit permit icmp any any'. If you want ping traffic to originate inside then do this: conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply Think about the way ping works - your workstation sends an icmp echo - the end station sends an icmp echo-reply - which from the PIX standpoint is a new inbound packet ( cuz it's stateless ). Therefore - let the echo-reply in only. Not all ICMP messages. Kenny "Daniel Cotts" [EMAIL PROTECTED] wrote in message 303479FA060CD211B893F805A88AA10F4C@EXCHANGE1">news:303479FA060CD211B893F805A88AA10F4C@EXCHANGE1... You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/co n fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Firewall Issue
Does anyone know of a vpn client for Windows 2000, I have Cisco Secure but it doesnt run on 2000, I need to implement a vpn solution for my company that will integrate with the PIX 515 that I just purchased.. Regards, Kevin From: "Kenny Sallee" [EMAIL PROTECTED] Reply-To: "Kenny Sallee" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Pix Firewall Issue Date: Wed, 7 Feb 2001 15:55:14 -0800 Actually it's not a good idea to do a 'conduit permit icmp any any'. If you want ping traffic to originate inside then do this: conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply Think about the way ping works - your workstation sends an icmp echo - the end station sends an icmp echo-reply - which from the PIX standpoint is a new inbound packet ( cuz it's stateless ). Therefore - let the echo-reply in only. Not all ICMP messages. Kenny "Daniel Cotts" [EMAIL PROTECTED] wrote in message 303479FA060CD211B893F805A88AA10F4C@EXCHANGE1">news:303479FA060CD211B893F805A88AA10F4C@EXCHANGE1... You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/con fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Firewall Issue
Right now there is no Win2k client available from Cisco. There is a beta out of the Altiga 3000 client - which can work with the PIX as well. You may be able to call TAC and request a copy. Though if you are hiding behind PAT and terminating on a PIX you are still SOL. The alternative for win2k clients is PPTP with MPPE. Very simple to implement and is a hold over until the 2k client is available. You can either terminate on the PIX and use Funk software radius server ( cisco secure ACS doesn't support MPPE ), a local database created on the PIX, or put a beefy win2k server in a DMZ and pass the PPTP traffic to that server. It'll need to be dual homed and secure as much as possible. Good luck Kenny - Original Message - From: "Kevin O'Gilvie" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, February 09, 2001 7:29 AM Subject: Re: Pix Firewall Issue Does anyone know of a vpn client for Windows 2000, I have Cisco Secure but it doesnt run on 2000, I need to implement a vpn solution for my company that will integrate with the PIX 515 that I just purchased.. Regards, Kevin From: "Kenny Sallee" [EMAIL PROTECTED] Reply-To: "Kenny Sallee" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Pix Firewall Issue Date: Wed, 7 Feb 2001 15:55:14 -0800 Actually it's not a good idea to do a 'conduit permit icmp any any'. If you want ping traffic to originate inside then do this: conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply Think about the way ping works - your workstation sends an icmp echo - the end station sends an icmp echo-reply - which from the PIX standpoint is a new inbound packet ( cuz it's stateless ). Therefore - let the echo-reply in only. Not all ICMP messages. Kenny "Daniel Cotts" [EMAIL PROTECTED] wrote in message 303479FA060CD211B893F805A88AA10F4C@EXCHANGE1">news:303479FA060CD211B893F805A88AA10F4C@EXCHANGE1... You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/co n fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Firewall Issue
Can you point me in the right direction of where I can research the alternatives.. Regards, Kevin From: "Kenny Sallee" [EMAIL PROTECTED] To: "Kevin O'Gilvie" [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Pix Firewall Issue Date: Fri, 9 Feb 2001 08:23:24 -0800 Right now there is no Win2k client available from Cisco. There is a beta out of the Altiga 3000 client - which can work with the PIX as well. You may be able to call TAC and request a copy. Though if you are hiding behind PAT and terminating on a PIX you are still SOL. The alternative for win2k clients is PPTP with MPPE. Very simple to implement and is a hold over until the 2k client is available. You can either terminate on the PIX and use Funk software radius server ( cisco secure ACS doesn't support MPPE ), a local database created on the PIX, or put a beefy win2k server in a DMZ and pass the PPTP traffic to that server. It'll need to be dual homed and secure as much as possible. Good luck Kenny - Original Message - From: "Kevin O'Gilvie" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, February 09, 2001 7:29 AM Subject: Re: Pix Firewall Issue Does anyone know of a vpn client for Windows 2000, I have Cisco Secure but it doesnt run on 2000, I need to implement a vpn solution for my company that will integrate with the PIX 515 that I just purchased.. Regards, Kevin From: "Kenny Sallee" [EMAIL PROTECTED] Reply-To: "Kenny Sallee" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Pix Firewall Issue Date: Wed, 7 Feb 2001 15:55:14 -0800 Actually it's not a good idea to do a 'conduit permit icmp any any'. If you want ping traffic to originate inside then do this: conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply Think about the way ping works - your workstation sends an icmp echo - the end station sends an icmp echo-reply - which from the PIX standpoint is a new inbound packet ( cuz it's stateless ). Therefore - let the echo-reply in only. Not all ICMP messages. Kenny "Daniel Cotts" [EMAIL PROTECTED] wrote in message 303479FA060CD211B893F805A88AA10F4C@EXCHANGE1">news:303479FA060CD211B893F805A88AA10F4C@EXCHANGE1... You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/co n fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix Firewall Issue
You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/con fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Firewall Issue
Actually it's not a good idea to do a 'conduit permit icmp any any'. If you want ping traffic to originate inside then do this: conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply Think about the way ping works - your workstation sends an icmp echo - the end station sends an icmp echo-reply - which from the PIX standpoint is a new inbound packet ( cuz it's stateless ). Therefore - let the echo-reply in only. Not all ICMP messages. Kenny "Daniel Cotts" [EMAIL PROTECTED] wrote in message 303479FA060CD211B893F805A88AA10F4C@EXCHANGE1">news:303479FA060CD211B893F805A88AA10F4C@EXCHANGE1... You're not telling us from where you are pinging. From the PIX? From a host behind the Firewall? From a host outside the Firewall? Anyway this command is good to have in later versions if you want pings to traverse the PIX. conduit permit icmp any any You may also want to modify that command or eliminate it, if you want to enforce a stronger policy. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/con fig.htm#xtocid1091627 -Original Message- From: exchange [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:09 PM To: '[EMAIL PROTECTED]' Subject: Pix Firewall Issue Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]