08-06-2007 01:41 AM - edited 03-11-2019 03:53 AM
Lo all,
Having trouble with a PIX 506E 6.3(5), I am trying to get ping and tracert working from clients within my network.
I have added the following lines to my pix config:
!--- Create an access list to allow pings out
access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply
access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded
access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable
access-group ping_acl in interface outside
But still no joy, any ideas would be much appreciated
Solved! Go to Solution.
08-06-2007 04:10 AM
Paul
You cannot apply two access-lists to the same interface in the same direction ie.
access-group ping_acl in interface outside
access-group inbound in interface outside
You need to combine your two access-lists ie. ping_acl and inbound into one access-list and apply this to the interface.
At the moment the only access-list applied to your outside interface is the inbound access-list which has no entries for icmp.
HTH
Jon
08-06-2007 02:47 AM
Hi Paul
I'm a little unclear as to what you are trying to achieve. If you want to allow your clients to ping out why are you applying this access-list on the outside interface ?
What are the source addresses of your clients and what are the destination addresses you want to ping ?
Jon
08-06-2007 02:55 AM
Hi Jon,
I am trying to follow:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
I am trying to allow all clients on the internal network to be able to ping / tracert any public IP address.
My clients are on a 10.1.2.x/8 range
08-06-2007 03:21 AM
Paul
Okay makes a bit more sense i think.
I'm assuing you are Natting all your inside hosts to 217.34.x.x ?
Do you have an access-list applied to your inside interface ?
Perhaps you could send whole config of pix minus any sensitive information.
Jon
08-06-2007 03:32 AM
Hi Jon,
Very new to PIX's so this is my working config for the network that I have managed to piece together:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 100full
interface ethernet1 100full
ip address outside 217.34.xxx.xxx 255.255.255.240
ip address inside 10.1.1.1 255.0.0.0
route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
global (outside) 1 interface
static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp
static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http
static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https
!--- Create an access list to allow pings out
access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply
access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded
access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable
access-list inbound permit tcp any host 217.34.xxx.xxx eq ftp
access-list inbound permit tcp any host 217.34.xxx.xxx eq http
access-list inbound permit tcp any host 217.34.xxx.xxx eq https
access-group ping_acl in interface outside
access-group inbound in interface outside
no fixup protocol ftp 21
no fixup protocol dns
!--- Enable logging
logging on
logging trap 4
logging host 10.1.1.3
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.50.0 255.255.255.0 inside
http server enable
http 10.0.0.0 255.0.0.0 inside
pdm history enable
!--- SSH for use with Putty
aaa authentication ssh console LOCAL
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
!--- Firewall details and passwords
hostname FIREWALL
domain-name C2.local
en pass xxxxxxxxx
pass xxxxxxxxxxx
ip local pool VPN_Pool 192.168.50.1-192.168.50.254
access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list 101
!--- For Cisco VPN Client
sysopt connection permit-ipsec
crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac
crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans
crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn
crypto map VPN_Crypto interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup C2_xxxxxxxx address-pool VPN_Pool
vpngroup C2_xxxxxxxx idle-time 1800
vpngroup C2_xxxxxxxx password xxxxxxxxxxxx
vpngroup C2_xxxxxxxx wins-server 10.1.1.3
vpngroup C2_xxxxxxxx dns-server 10.1.1.3
vpngroup C2_xxxxxxxx default-domain c2.local
isakmp nat-traversal 20
08-06-2007 04:10 AM
Paul
You cannot apply two access-lists to the same interface in the same direction ie.
access-group ping_acl in interface outside
access-group inbound in interface outside
You need to combine your two access-lists ie. ping_acl and inbound into one access-list and apply this to the interface.
At the moment the only access-list applied to your outside interface is the inbound access-list which has no entries for icmp.
HTH
Jon
08-06-2007 04:17 AM
You learn something new every day:)
Thanks for that Jon works a treat, thought I was being tidy keeping them apart.
08-06-2007 04:21 AM
Paul
Glad to be of help and many thanks for using the rating system.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide