Pinging Through The Security Appliance - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Testing Your Configuration
Figure 43-3
Router
Ping each security appliance interface from a remote host. For transparent mode, ping the management
Step 3
IP address. This test checks whether the directly connected router can route the packet between the host
and the security appliance, and whether the security appliance can correctly route the packet back to the
host.
A ping might fail if the security appliance does not have a return route to the host through the
intermediate router (see
successful, but system log message 110001 appears, indicating a routing failure.
Figure 43-4
Host
Pinging Through the Security Appliance
After you successfully ping the security appliance interfaces, make sure traffic can pass successfully
through the security appliance. For routed mode, this test shows that NAT is operating correctly, if
configured. For transparent mode, which does not use NAT, this test confirms that the security appliance
is operating correctly. If the ping fails in transparent mode, contact Cisco TAC.
To ping between hosts on different interfaces, perform the following steps:
To add an access list allowing ICMP from any source host, enter the following command:
Step 1
hostname(config)# access-list ICMPACL extended permit icmp any any
By default, when hosts access a lower security interface, all traffic is allowed through. However, to
access a higher security interface, you need the preceding access list.
Step 2
To assign the access list to each source interface, enter the following command:
hostname(config)# access-group ICMPACL in interface interface_name
Repeat this command for each source interface.
To enable the ICMP inspection engine and ensure that ICMP responses may return to the source host,
Step 3
enter the following commands:
hostname(config)# class-map ICMP-CLASS
hostname(config-cmap)# match access-list ICMPACL
Cisco Security Appliance Command Line Configuration Guide
43-4
Ping Failure Because of IP Addressing Problems
Ping
192.168.1.2
192.168.1.2
Host
Figure
43-4). In this case, the debug messages show that the ping was
Ping Failure Because the Security Appliance has no Return Route
Ping
Router
Chapter 43
Troubleshooting the Security Appliance
192.168.1.1
Security
Appliance
?
Security
Appliance
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
