Pix 506E Allowing ping (ICMP) replies

Answered Question

Lo all,


Having trouble with a PIX 506E 6.3(5), I am trying to get ping and tracert working from clients within my network.


I have added the following lines to my pix config:


!--- Create an access list to allow pings out

access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply

access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded

access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable


access-group ping_acl in interface outside


But still no joy, any ideas would be much appreciated

Correct Answer by Jon Marshall about 9 years 8 months ago

Paul


You cannot apply two access-lists to the same interface in the same direction ie.


access-group ping_acl in interface outside

access-group inbound in interface outside


You need to combine your two access-lists ie. ping_acl and inbound into one access-list and apply this to the interface.


At the moment the only access-list applied to your outside interface is the inbound access-list which has no entries for icmp.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 08/06/2007 - 02:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Paul


I'm a little unclear as to what you are trying to achieve. If you want to allow your clients to ping out why are you applying this access-list on the outside interface ?


What are the source addresses of your clients and what are the destination addresses you want to ping ?


Jon

Jon Marshall Mon, 08/06/2007 - 03:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Paul


Okay makes a bit more sense i think.


I'm assuing you are Natting all your inside hosts to 217.34.x.x ?


Do you have an access-list applied to your inside interface ?


Perhaps you could send whole config of pix minus any sensitive information.


Jon




Hi Jon,


Very new to PIX's so this is my working config for the network that I have managed to piece together:


nameif ethernet0 outside security0

nameif ethernet1 inside security100


interface ethernet0 100full

interface ethernet1 100full


ip address outside 217.34.xxx.xxx 255.255.255.240

ip address inside 10.1.1.1 255.0.0.0


route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1


nat (inside) 1 10.0.0.0 255.0.0.0 0 0

global (outside) 1 interface


static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp

static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http

static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https


!--- Create an access list to allow pings out

access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply

access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded

access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable


access-list inbound permit tcp any host 217.34.xxx.xxx eq ftp

access-list inbound permit tcp any host 217.34.xxx.xxx eq http

access-list inbound permit tcp any host 217.34.xxx.xxx eq https


access-group ping_acl in interface outside

access-group inbound in interface outside


no fixup protocol ftp 21

no fixup protocol dns


!--- Enable logging

logging on

logging trap 4

logging host 10.1.1.3


telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.50.0 255.255.255.0 inside


http server enable

http 10.0.0.0 255.0.0.0 inside

pdm history enable


!--- SSH for use with Putty

aaa authentication ssh console LOCAL

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5


!--- Firewall details and passwords

hostname FIREWALL

domain-name C2.local

en pass xxxxxxxxx

pass xxxxxxxxxxx


ip local pool VPN_Pool 192.168.50.1-192.168.50.254

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 101



!--- For Cisco VPN Client

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans

crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn

crypto map VPN_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup C2_xxxxxxxx address-pool VPN_Pool

vpngroup C2_xxxxxxxx idle-time 1800

vpngroup C2_xxxxxxxx password xxxxxxxxxxxx

vpngroup C2_xxxxxxxx wins-server 10.1.1.3

vpngroup C2_xxxxxxxx dns-server 10.1.1.3

vpngroup C2_xxxxxxxx default-domain c2.local

isakmp nat-traversal 20


Correct Answer
Jon Marshall Mon, 08/06/2007 - 04:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Paul


You cannot apply two access-lists to the same interface in the same direction ie.


access-group ping_acl in interface outside

access-group inbound in interface outside


You need to combine your two access-lists ie. ping_acl and inbound into one access-list and apply this to the interface.


At the moment the only access-list applied to your outside interface is the inbound access-list which has no entries for icmp.


HTH


Jon

Jon Marshall Mon, 08/06/2007 - 04:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Paul


Glad to be of help and many thanks for using the rating system.


Jon

Actions

This Discussion