No, though the PIX allow traffic from a higher security interface to a lower
one, you cannot ping the dmz interface from the inside interface
successfully because the echo-reply (response from the dmz interface) will
be disallowed from entering the inside interface, so you will end up having
time-outs.
The only way to have a successful pinging is to implete the permit icmp any
any command.
The ping failed not becaused it did not get to the dmz interface, but
because the PIX Adaptive Security Algorithm(ASA) disallow the response from
coming back to you. The only way to go about it is to use the conduit or
access-list command to create and exception for the ASA, so that it can
allow the returned ping response.
PIX#Conduit permit icmp any any
0.02 cents
Regards.
Oletu
- Original Message -
From: cage
To:
Sent: Saturday, January 26, 2002 5:08 PM
Subject: about the ping in pix ? [7:3]
> Is it true :"Traffic is ALWAYS allowed between from a higher security
> interface to a lower security interface without doing anything special?"
> If it is true,can I ping from the inside or dmz to outside without the
> configuring of the access-list icmp any any?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9&t=3
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]