ping from outside network

hi,

in my config of pix525(6.3) i only two access-group lines: access-group ping_acl in interface inside access-group ping_acl in interface dmz and i can still ping outside interface from puside network? why is that?

Reply to
voytas
Loading thread data ...

Hi,

Are you saying that you are able to ping the outside interface from the inside network?

vreyesii

voytas wrote:

Reply to
vreyesii

Showing us the access lists might help!

Reply to
chris

pinging of interfaces is controlled by the 'icmp' command, not by access-group .

Reply to
Walter Roberson

formatting link
hope this will clear all ur doubts

regard, l

Walter Robers> >

Reply to
dabance

ok, so the beginning.

  1. i ping from outside network my pix 525 (outside interface).

  1. my ACL :

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max

4096) alert-interval 300 access-list ping_acl; 1 elements access-list ping_acl line 1 permit icmp any any (hitcnt=15789) access-list acl_out; 2 elements access-list acl_out line 1 permit icmp any any (hitcnt=17) access-list acl_out line 2 permit tcp any host IP_my_www_server eq www (hitcnt=4)

  1. the site you showed is not available.

tc

dabance napisal(a):

Reply to
voytas

As Walter mentioned earlier, ICMP traffic bound for the PIX is not controlled by the normal access list.

There is a seperate ICMP access list:-

formatting link
James

voytas wrote:

Reply to
James

yeah, you aare right: command icmp

next time i two times ask google :)

thx

James napisal(a):

formatting link

Reply to
voytas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.