PIX - enabling PING of inside PIX interface from a host on the outside....

Fairly new to CISCO PIX so forgive me if I'm asking the obvious...

I have a PIX that i want to configure to allow pinging of the inside PIX interface from a host located on the PIX outside interface....

My config allows icmp any from the entire subnet on the outside interface to the entire subnet on the inside interface - since the inside subnet covers the inside interface I'd have thought this would have worked, but it doesnt.

I can ping any host on the inside interface subnet from the outside host, but not the actual inside interface itself.....

In the log I'm getting:-

PIX-3-305005: No translation group found for icmp src outside:192.168.100.100 dst inside: 192.168.1.1 (type 8, code0)

192.168.100.100 is the outside host, connecting via the PIX outside interface 192.168.100.1, 192.168.1.1 is the inside PIX interface.

Any help greatly appreciated.

Reply to
ZXL
Loading thread data ...

In article , ZXL wrote: :Fairly new to CISCO PIX so forgive me if I'm asking the obvious...

:I have a PIX that i want to configure to allow pinging of the inside PIX :interface from a host located on the PIX outside interface....

The only way to do that in the PIX is to be using PIX 6.3 or later and to establish a VPN tunnel marked as a "management interface" connected to the inside interface. Then you'll be able to ping the inside interface from outside... but you will not be able to use that same tunnel to get -past- the PIX to anything inside the PIX.

The rule of thumb on the PIX is that you can only ever ping the interface "closest" to you.

Reply to
Walter Roberson

Thanks for this Walter...

It just doesn't make this clear in the documentation (well - at least the 2 books I have)...!

Are you sure there isn't any other way??? Seems to be a lot of effort in setting up a VPN tunnel to each inside interface for the sake of pinging it!

Only reason I want to ping each interface is to ensure that interface is 'up' and responsive from a monitoring point of view... I have setup SNMP to send traps to a SNMP management server - surely this would pick up if an interface failed (I don't actually have visibility of the SNMP server though)

Reply to
ZXL

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.