Firewall Wizards mailing list archives

RE: [fw-wiz]: unable to ping internet servers

From: "Steven Alexander" <alexander.s () mccd edu>
Date: Mon, 2 Jun 2003 09:33:28 -0700

You have to allow inbound ICMP echo-reply packets.  ICMP isn't
connection oriented so the incoming echo-reply is not known to be part
of the same sequence of events as the earlier outgoing echo-request.

-steven

-----Original Message-----
From: Hilal Hussein [mailto:hilalma () hotmail com] 
Sent: Sunday, June 01, 2003 8:07 AM
To: Wesley_Noonan () bmc com; avraham () jct ac il;
firewall-wizards () icsalabs com
Subject: [fw-wiz] [fw-wiz]: unable to ping internet servers

Dear Gentlemen,

I have a PIX 520 Firewall with

global (outside) 1 1.2.3.4
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 11.22.33.44 172.17.1.10 netmask 255.255.255.255
0 0 conduit permit gre host 11.22.33.44 host 55.66.77.88 conduit permit
icmp any any outbound  10 permit 172.17.0.0 255.255.0.0 0 tcp outbound
10 permit 172.17.0.0 255.255.0.0 0 udp outbound  10 permit 172.17.0.0
255.255.0.0 0 icmp apply (inside) 10 outgoing_src

we are accessing the internet having direct connection from the firewall
to 
the ISP Router. and all internal users have the Firewall as the internet

Gateway.

Questions
why internal users can't ping www.yahoo.com or even the ip address of
yahoo 
server or any internet server, at the same time I can do the ping from
the 
firewall itself - ping outside 64.58.76.224 ?

Do i need to do any changes in the firewall ? since conduit permit icmp
any 
any & outbound 10 permit 172.17.0.0 255.255.0.0 0 icmp which should be 
allowed bidirectional ICMP traffic between our internal network
(172.17.0.0 
- 255.255.0.0).

hopefully i am clear in describing the problem, your comments and
support 
are highly appreciated,

With regards,

Hilal Hussein

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

[fw-wiz]: unable to ping internet servers Hilal Hussein (Jun 01)
- <Possible follow-ups>
- RE: [fw-wiz]: unable to ping internet servers Steven Alexander (Jun 02)