Pings OutboundThere are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.
For example:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.
Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.
For example:
policy-map global_policy
class inspection_default
inspect icmp
from
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtmlhad to use (for now)
access-list outside_access_in permit icmp any any echo-reply
