Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Cannot Ping My External IP's Inside a PIX Firewall

0 views
Skip to first unread message

D.O

unread,
May 16, 2003, 9:34:11 AM5/16/03
to
Hello,

how can I ping my external DNS inside the firewall? I
have no problem outside. What do I have to do?

Thanks,

David

Herb Martin

unread,
May 16, 2003, 10:20:29 AM5/16/03
to
> how can I ping my external DNS inside the firewall? I
> have no problem outside. What do I have to do?

Many 'firewalls' don't allow the ICMP protocol (used by
ping and tracert) so if you want to check a DNS server
use NSLookup (it's built in) or another tool that queries
DNS directly.

nmap is also worth having http://www.insecure.org as it
can find all sorts of ways to do 'sneaky' substitutes for
ping.

Another advantage of using NSLookup with a DNS server
is that you prove not only is the MACHINE alive but the
DNS server is able to answer.


Herb Martin
He...@LearnQuick.Com


Kevin D. Goodknecht Sr.

unread,
May 16, 2003, 10:22:11 AM5/16/03
to
David,
You question is unclear.

> how can I ping my external DNS inside the firewall?
Are you trying to ping by name or IP address this may be a firewall issue,
too. Do you have the ability to ping from inside the firewall?
You can disable pinging from the inside out or the outside in with most
firewalls.
Are you able to ping the private address that DNS listens on?

--
Kevin D4 Dad Goodknecht Sr.
--
HTH
++++++++++++++++++++++++++++++++++++++++++
Post back your results so everyone is assisted
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================

In news:0af801c31baf$d5e50a50$a501...@phx.gbl,
D.O <gran...@yahoo.com> posted :

Sidney Marques

unread,
May 18, 2003, 12:06:56 AM5/18/03
to
David-
Just put a new rule (access-list) in your PIX that allows icmp both ways. I
wouldn't recommend leaving this open. Just use it for testing, etc.. Hope
this helps.

Sidney Marques

"D.O" <gran...@yahoo.com> wrote in message
news:0af801c31baf$d5e50a50$a501...@phx.gbl...

Ace Fekay [MVP]

unread,
May 20, 2003, 7:27:21 PM5/20/03
to
In news:0af801c31baf$d5e50a50$a501...@phx.gbl,
D.O <gran...@yahoo.com> posted his concerns then I replied down below:

Yes, this is unclear.
Are you trying to ping the external interface address of your PIX? If so,
it's a NAT limitation that NAT (Pix in this case) cannot respond to a
request from the internal interface to it's own external interface.

If this is not the scenario, please elaborate to better help out.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


William Stacey [MVP]

unread,
May 20, 2003, 10:31:27 PM5/20/03
to
I agree with Ace :-)

--
William Stacey, DNS MVP


"Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&LastNa...@hotmail.com>
wrote in message news:%234yg3dy...@tk2msftngp13.phx.gbl...

Ace Fekay [MVP]

unread,
May 20, 2003, 11:24:34 PM5/20/03
to
In news:OVQr1B0H...@TK2MSFTNGP10.phx.gbl,
William Stacey [MVP] <sta...@mvps.org> posted his concerns then I replied
down below:

> I agree with Ace :-)
>
> --
> William Stacey, DNS MVP
>

Thanks William. :-)

I've seen this to be a common problem of "why can't it work?" Unfortunate
for NAT to have this limitation, but then NAT wouldn't be able to do it's
function properly otherwise. Hence the need for two nameservers in such a
scheme. That is if this is the scenario D.O. is talking about.

0 new messages