Testing Your Configuration
Making sure that the configuration you entered works is an important part of the
configuration process. At this point, you test basic connectivity from the inside interface out
to the other interfaces. Use the ping and debug commands to test your connectivity.
The ping command sends an Internet Control Message Protocol (ICMP) echo request
message to the target IP address and expects an ICMP echo reply. By default, the Security
Appliance denies all inbound traffic through the outside interface. Based on your network
security policy, you should consider configuring the Security Appliance to deny all ICMP
traffic to the outside interface, or any other interface you deem necessary, by entering the
icmp command. The icmp command controls ICMP traffic that terminates on the Security
Appliance. If no ICMP control list is configured, the Security Appliance accepts all ICMP
traffic that terminates at any interface (including the outside interface). For example, when
you first configure a PIX Firewall, it is a good idea to be able to ping an interface and get a
response. The following makes that possible for the outside interface:
The icmp permit any any outside command is used during the testing/debugging phase of
your configuration process. Make sure that you change it so it does not respond to ping
requests after you complete testing. It is a security risk to leave it set to accept and respond
to ICMP packets.
After the icmp permit command has been configured, you can ping the outside interface on
your Cisco Security Appliance and ping from hosts on each firewall interface. For example:
ping outside 192.168.1.1
You also can monitor ping results by starting debug icmp trace. The debug command will
display messages that contain icmp type values. Table 6-11 describes the icmp-type values
supported in version 7.0.
Table 6-11 icmp Type Values
Type Values Description
0 Echo-reply
3 Unreachable
4 Source-quench
5 Redirect
6 Alternate-address
8 Echo
9 Router-advertisement
10 Router-solicitation
11 Time-exceeded
12 Parameter-problem
13 Timestamp-request
14 Timestamp-reply
15 Information-request
16 Information-reply
17 Mask-request
18 Mask-reply
31 Conversion-error
32 Mobile-redirect