Pix 501 ping issue and irregularity

Answered Question

I'm new to Cisco and I have a Pix 501 running 6.3(5). I found I was unable to ping. So I did some research and found the document "Handling ICMP Pings and traceroute...", applied the access-list as recommended but it didn't appear to work. Then I found 'icmp permit any echo inside' and I thought it worked - I was able to ping.

Now after playing with it a little more - trying to get the access-list... part working, I cannot get echos at all. If anyone can offer some assistance, I could use some help.


Thanks,

Mike Trout


Here's the (hopefully) relevant parts of my config (full config attached). (10.254.254.132 is my workstation - I also want to be able to ping from anywhere in the 10.254.254.x subnet (inside) to outside)


interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_outbound_nat0_acl permit ip any 10.254.254.240 255.255.255.240

access-list inside_outbound_nat0_acl permit ip 10.254.254.0 255.255.255.0 10.254.254.240 255.255.255.240

access-list inside_outbound_nat0_acl permit ip any 10.254.254.248 255.255.255.248

access-list outside_cryptomap_dyn_40 permit ip any 10.254.254.240 255.255.255.240

access-list NeumaTest1_splitTunnelAcl permit ip 10.254.254.0 255.255.255.0 any

access-list outside_cryptomap_dyn_60 permit ip any 10.254.254.240 255.255.255.240

access-list outside_cryptomap_dyn_80 permit ip any 10.254.254.248 255.255.255.248

access-list NeumaRemote_splitTunnelAcl permit ip 10.254.254.0 255.255.255.0 any

access-list Emergency_splitTunnelAcl permit ip 10.254.254.0 255.255.255.0 any

access-list 101 permit icmp any host 10.254.254.132 echo-reply

access-list 101 permit icmp any host 10.254.254.132 source-quench

access-list 101 permit icmp any host 10.254.254.132 unreachable

access-list 101 permit icmp any host 10.254.254.132 time-exceeded

pager lines 24

icmp permit any echo inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 10.254.254.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Remote 10.254.254.241-10.254.254.250

ip local pool emergency 10.254.254.251-10.254.254.252

ip local pool Testing 10.254.254.253-10.254.254.254 mask 255.255.255.0




Correct Answer by JORGE RODRIGUEZ about 9 years 5 months ago

Mike, to allow any inside host to ping any host on the outside you have to do it the way the link explained it and apply the acl 101 to outside interface.


e.g


access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside


in fact you only need two lines , but try it either way but don't forget to apply acl 101 to outside interface.



access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside



Rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Thu, 12/27/2007 - 13:49
User Badges:
  • Gold, 750 points or more

Hi Mike

Try this


policy-map global_policy

class inspection_default

inspect icmp



Regards


Correct Answer
JORGE RODRIGUEZ Thu, 12/27/2007 - 14:55
User Badges:
  • Green, 3000 points or more

Mike, to allow any inside host to ping any host on the outside you have to do it the way the link explained it and apply the acl 101 to outside interface.


e.g


access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside


in fact you only need two lines , but try it either way but don't forget to apply acl 101 to outside interface.



access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside



Rgds

Jorge

Jorge,


Thank you for replying. The 'any any' construction was listed for the 7.x version only, so I didn't try it. I tried to duplicate the construction for the 6.3 version and was unable to make it work. Also, I did have the access-group... command in the config, but (apparently) clipped it from the post. Of course, if the acl wasn't constructed right, it didn't matter...


Anyways, it appears to work now.


Oh, one more question - when I tracert somewhere (google.com, cisco.com, wherever...) from my workstation, the Pix is completely blank. When I tracert from my cheap linksys router at home, the internal lines are there - something like this:


Pix:


tracert google.com


tracing route to google.com [xx.x.x.x]

over a maximum of 30 hops:


1 8ms 8ms 7ms xxxx.xxxx.sbcglobal.net [x.x.x.x]

2 8ms 8ms 7ms xxx.xxxx.xxxx.sbcglobal.net [x.x.x.x]

3... (etc.)


but at home I get the first 1 or 2 being the inside interface, and (not there to test) maybe an outside interface as well - so the first line is always:


1 X ms X ms Xms 10.x.x.1 (the default gateway address.


Is that normal? Is there a reason it does that? (the pix that is).


Thanks again.


Mike.

JORGE RODRIGUEZ Thu, 12/27/2007 - 16:10
User Badges:
  • Green, 3000 points or more

This is normal behaviour in pix 6.x, when doing traceroute the pix interface ip address will not show up in the traceroute and it will appear as one hop is missing in the traceroute output.


See this link for backround on icmp and traceroute commands on 6.x and 7.x and its association of these commands with NAT and PAT.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml


Rgds

Jorge

Actions

This Discussion