PPPoE & ICMP

Unanswered Question
Feb 24th, 2008
User Badges:

Cisco PIX Firewall Version 6.3


My PIX was working just fine until I enabled PPPoE. Now that I've enabled PPPoE, I can no longer ping out. Now when I Ping out, I don't get responses back.


I tried disabling ip audit, permit icmp any any, I even tried permit ip any any, and that didn't work.



Here is my outbound ping request:



C:\>ping <A HREF="javascript:newWin('http://www.yahoo.com')">www.yahoo.com</A>


Pinging <A HREF="javascript:newWin('http://www.yahoo-ht3.akadns.net')">www.yahoo-ht3.akadns.net</A> [209.131.36.158] with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 209.131.36.158:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)




Here is the same request from the PIX:


# ping outside 209.131.36.158

209.131.36.158 response received -- 20ms

209.131.36.158 response received -- 10ms

209.131.36.158 response received -- 10ms





And here is debug on the outside interface. It shows ping replys to the correct interface IP address.


# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

1: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=5478 4 length=40

2: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

3: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=54784 length=40


4: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55040 length=40

5: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

6: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55040 length=40


7: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55296 length=40

8: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

9: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55296 length=40


10: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55552 length=40

11: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

12: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55552 length=40



My ACLs:


access-list PUBLICHOSTS permit icmp any any echo-reply

icmp permit any echo-reply outside




My PPPoE config:


ip address outside pppoe setroute

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [MYPPPOEUSERNAME]

vpdn group pppoex ppp authentication pap

vpdn username [MYPPPOEUSERNAME] password *********



Is there something about PPPoE that could break ICMP replies?


My sanitized config is attached.

Thanks for your time!









  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
r-lemaster Mon, 02/25/2008 - 08:43
User Badges:

It looks like I forgot to apply my ACL to the interface that permitted ICMP in.


After applying the ACL, I can ping out again.


DUH.

Actions

This Discussion