We help IT Professionals succeed at work.

How do we ping a PIX?

dalva
dalva asked
on
309 Views
Last Modified: 2012-05-05
We are setting up two PIX 501 firewalls to do a VPN.  We want to temporally be able to ping the outside interface for connectivity testing.

What are the config settings to allow this to happen?
Comment
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
If you are trying to ping the outside interface from the inside, you will need to allow ICMP on the outside interface.

access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
access-group 101 in interface outside
That is true...if you're pinging from inside the PIX to the outside of the other PIX...
icmp permit <ip> outside
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
That is true too, but the default behavior of the PIX/ASA code without having that command in there is to allow pings against the interfaces of the PIX.
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
An access list does work.  And it affords one to limit the types of ICMP in addition restricting origination and destination.
An ACL controls icmp through the FW - not destined for it. That is why the "icmp" configuration exists
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
An ACL can control ICMP not only to the firewall but through it.

We're talking inside access for testing.  Either option works and I see nothing in Cisco's documentation that identifies the 'icmp' statement to offer any more benefits security-wise.

Author

Commented:
I've split the points between batry boy and bdeterding.  Batry boy actually answered the question.  I thought by default the PIX denied ping returns which is not the case.  Bdeterding added some clarity to how the icmp command is used.

Thanks to the rest of you who contributed to this question.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.