1. Home
  2. Networking Firewalls
  3. cisco pix 515 outside ping to internal hosts

cisco pix 515 outside ping to internal hosts

Hi,

can this be done. I have cisco pix 515e and would like to ping internal hosts for monitoring purposes. i have no trouble pinging the outside real IP. just don't know how to accomplish pinging the inside IP. i would like to ping my mail server inside for monitoring purposes. i would like to restrict ping from a certain host. the mail server inside is 192.168.100.50 inside hosts have no problems pinging outside.

any help will be appreciated!

ip address outside x.x.x.111 255.255.255.240 ip address inside 192.168.100.1 255.255.255.0

access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any access-list 100 permit tcp any host x.x.x.112 eq www access-list 100 permit tcp any host x.x.x.112 eq 25 access-list 100 permit tcp any host x.x.x.112 eq 1001 access-list 100 permit tcp any host x.x.x.112 eq 1002 access-group 100 in interface outside

static (inside,outside) tcp x.x.x.112 1001 192.168.100.48 8080 netmask

255.255.255.255 0 0 static (inside,outside) tcp x.x.x.112 1002 192.168.100.49 8080 netmask 255.255.255.255 0 0 static (inside,outside) tcp x.x.x.112 www 192.168.100.50 www netmask 255.255.255.255 0 0 static (inside,outside) tcp x.x.x.112 25 192.168.100.50 25 netmask 255.255.255.255 0 0
Reply to
google
Loading thread data ...

This is not a good idea. Perhaps you could better monitor over a secure connection (like SSH, SSL, TLS, etc.), not with ICMP echo.

Yours, VB.

Reply to
Volker Birk

thanx for the reply. my apps needs ping, unfortunately. i do not think this will work, but i could be wrong.. so when i ping x.x.x.112 how does the pix determine which internal hosts i am pinging??

Reply to
google

Then you'll need some VPN.

Yours, VB.

Reply to
Volker Birk

In article , wrote: :can this be done. I have cisco pix 515e and would like to ping internal :hosts for monitoring purposes. :i have no trouble pinging the outside real IP. just don't know how to :accomplish pinging the inside IP. i would like to ping my mail server :inside for monitoring purposes. i would like to restrict ping from a :certain host. the mail server inside is 192.168.100.50 :inside hosts have no problems pinging outside.

:access-list 100 permit icmp any any echo-reply :access-list 100 permit icmp any any time-exceeded :access-list 100 permit icmp any any

The third line is a superset of the first two, so the first two are not needed in that configuration. On the other hand, you don't really want to permit in all icmp, as people are actively using icmp network redirects in order to try to steal banking information .

To allow in ping specifically, I suggest

access-list 100 permit icmp any host x.x.x.112 echo

:access-group 100 in interface outside

:static (inside,outside) tcp x.x.x.112 1001 192.168.100.48 8080 netmask

255.255.255.255 0 0

In order to get the icmp through to the host, you will have to forward the entire IP, not just individual ports.

if you have PIX 6.3 then you could try using "policy static".

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.