From: Tony Schaffran (groupstudy@cconlinelabs.com)
Date: Sat May 07 2005 - 11:26:11 GMT-3
The way I understand it, is that a ping is not an established session. The
echo-reply is not actually return traffic to your ping. The echo-reply is
an independent session originated by the device you just ping'ed.
That is why you need to specifically allow echo-reply to get successful
pings from the inside out.
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Serge N'GBESSO
Sent: Saturday, May 07, 2005 7:19 AM
To: ccielab@groupstudy.com
Subject: PiX Nat
I want users on the inside to be able to ping outside throught the pix :
<
nat (i) 1 0 0
global (o) interface
access-li INB permit icmp any any echo-reply
>
WHY do i need the access-li since the ASA should dynamicaly allow the return
traffic ?
---------------------------------
Dicouvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos
mails !
Criez votre Yahoo! Mail
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3