Rule to enable PING and TRACERT on PIX 506E w/PDM 3.0

Cisco Firewalls and PING

(Note: Tracert uses Ping technology and protocols and the firewall treats ping and tracert the same*)

PIX Version 6

With regards to Ping, out of the box, a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup clients can ping the inside interface,  and the firewalls outside interface can be pinged from outside.
OK  to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocol is not connection orientated what that means is (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it wont let ping traffic back in  this results in a failure on the client.

Allow Pinging of outside hosts

In light of the above the following will let ping traffic back in.

Access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-group outbound in interface inside

PIX Version 7 and above

Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. Its NOT turned on by default. And the command is inspect icmp but you need to enter the default map first, use the following commands from config terminal mode.

Policy-map global_policy
class inspection_default
inspect icmp

How to STOP interfaces responding to Ping packets

As already stated you can ping an interface on a Cisco firewall if you are directly connected to it, you can turn this OFF using the ICMP command, a lot of people like to disable pinging on the outside interface, in an effort to lessen the risk of a denial of service attack to this the syntax is as follows,

icmp deny any echo outside

*Note this does not apply to INBOUND tracerts these will NOT work without a (fixup protocol icmp) command. In version 7 tracert will not work unless the inspect icmp command has been issued

Actually I was looking for how to do it in the PDM. I'm to chicken to use the command line. Plus that way I have a rule that I can just check and uncheck in my GUI to turn on and off. Sorry, I did not make that clear above. Thanks for the good info though.  

From PDM

1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address

Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0

6. Destination Host/Network

Interface = inside
IP Address = 0.0.0.0
Mask = 0.0.0.0

7. Protocol and Service, select ICMP
8. Set ICMP Type to "echo-reply"
9. OK
10. Repeat from step 3 but this time set the ICMP type to time-exceeded
11. Repeat from step 3 but this time set the ICMP type to unreachable
12. File > Save Running configuration to flash

Now that's what I'm talking about. Idiot proof. I'm going to try it just as soon as I finish here other thingy up.  

:)

Perhaps idiot proof was not quite the right description. I have followed the above directions exactly, but can not ping anything. I deleted the first rule and then created an new on that allowed all ICMP just to test, still no luck.

I did not have an outbound rule applied. I tried adding an outbound rule using the below but I still am unable to ping or tracert.
1. Click Configuration.
2. Access-Rules Tab.
3. Rules > Add
4. Action=Permit
5. Source Host/Network, select IP Address

Interface = Inside
IP Address = 0.0.0.0
Mask = 0.0.0.0

6. Destination Host/Network

Interface = Outside
IP Address = 0.0.0.0
Mask = 0.0.0.0

7. Protocol and Service, select ICMP
8. Set ICMP Type to "any"

I was unable to get this working. Now we have upgraded to IOS 8 so point is moot. Thanks to Pete for all his excellent input.

Petes input worked here. :) Same setup.