12-27-2007 01:45 PM - edited 03-12-2019 05:55 PM
I'm new to Cisco and I have a Pix 501 running 6.3(5). I found I was unable to ping. So I did some research and found the document "Handling ICMP Pings and traceroute...", applied the access-list as recommended but it didn't appear to work. Then I found 'icmp permit any echo inside' and I thought it worked - I was able to ping.
Now after playing with it a little more - trying to get the access-list... part working, I cannot get echos at all. If anyone can offer some assistance, I could use some help.
Thanks,
Mike Trout
Here's the (hopefully) relevant parts of my config (full config attached). (10.254.254.132 is my workstation - I also want to be able to ping from anywhere in the 10.254.254.x subnet (inside) to outside)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_outbound_nat0_acl permit ip any 10.254.254.240 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 10.254.254.0 255.255.255.0 10.254.254.240 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 10.254.254.248 255.255.255.248
access-list outside_cryptomap_dyn_40 permit ip any 10.254.254.240 255.255.255.240
access-list NeumaTest1_splitTunnelAcl permit ip 10.254.254.0 255.255.255.0 any
access-list outside_cryptomap_dyn_60 permit ip any 10.254.254.240 255.255.255.240
access-list outside_cryptomap_dyn_80 permit ip any 10.254.254.248 255.255.255.248
access-list NeumaRemote_splitTunnelAcl permit ip 10.254.254.0 255.255.255.0 any
access-list Emergency_splitTunnelAcl permit ip 10.254.254.0 255.255.255.0 any
access-list 101 permit icmp any host 10.254.254.132 echo-reply
access-list 101 permit icmp any host 10.254.254.132 source-quench
access-list 101 permit icmp any host 10.254.254.132 unreachable
access-list 101 permit icmp any host 10.254.254.132 time-exceeded
pager lines 24
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.254.254.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 10.254.254.241-10.254.254.250
ip local pool emergency 10.254.254.251-10.254.254.252
ip local pool Testing 10.254.254.253-10.254.254.254 mask 255.255.255.0
Solved! Go to Solution.
12-27-2007 02:55 PM
Mike, to allow any inside host to ping any host on the outside you have to do it the way the link explained it and apply the acl 101 to outside interface.
e.g
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
in fact you only need two lines , but try it either way but don't forget to apply acl 101 to outside interface.
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
Rgds
Jorge
12-27-2007 01:49 PM
Hi Mike
Try this
policy-map global_policy
class inspection_default
inspect icmp
Regards
12-27-2007 01:55 PM
Thanks for the incredibly quick reply.
Unfortunately those commands gave me an error - "Type help or '?' for a list of available commands.". I'm guessing they're Pix 7.x commands, and I can't upgrade to 7. I'm on 6.3(5).
Thanks,
Mike.
12-27-2007 01:50 PM
12-27-2007 02:55 PM
Mike, to allow any inside host to ping any host on the outside you have to do it the way the link explained it and apply the acl 101 to outside interface.
e.g
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
in fact you only need two lines , but try it either way but don't forget to apply acl 101 to outside interface.
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
Rgds
Jorge
12-27-2007 03:15 PM
Jorge,
Thank you for replying. The 'any any' construction was listed for the 7.x version only, so I didn't try it. I tried to duplicate the construction for the 6.3 version and was unable to make it work. Also, I did have the access-group... command in the config, but (apparently) clipped it from the post. Of course, if the acl wasn't constructed right, it didn't matter...
Anyways, it appears to work now.
Oh, one more question - when I tracert somewhere (google.com, cisco.com, wherever...) from my workstation, the Pix is completely blank. When I tracert from my cheap linksys router at home, the internal lines are there - something like this:
Pix:
tracert google.com
tracing route to google.com [xx.x.x.x]
over a maximum of 30 hops:
1 8ms 8ms 7ms xxxx.xxxx.sbcglobal.net [x.x.x.x]
2 8ms 8ms 7ms xxx.xxxx.xxxx.sbcglobal.net [x.x.x.x]
3... (etc.)
but at home I get the first 1 or 2 being the inside interface, and (not there to test) maybe an outside interface as well - so the first line is always:
1 X ms X ms Xms 10.x.x.1 (the default gateway address.
Is that normal? Is there a reason it does that? (the pix that is).
Thanks again.
Mike.
12-27-2007 04:10 PM
This is normal behaviour in pix 6.x, when doing traceroute the pix interface ip address will not show up in the traceroute and it will appear as one hop is missing in the traceroute output.
See this link for backround on icmp and traceroute commands on 6.x and 7.x and its association of these commands with NAT and PAT.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: