Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
1
Replies

PPPoE & ICMP

r-lemaster
Level 1
Level 1

‎02-24-2008 09:20 PM - edited ‎03-11-2019 05:08 AM

Cisco PIX Firewall Version 6.3

My PIX was working just fine until I enabled PPPoE. Now that I've enabled PPPoE, I can no longer ping out. Now when I Ping out, I don't get responses back.

I tried disabling ip audit, permit icmp any any, I even tried permit ip any any, and that didn't work.

Here is my outbound ping request:

C:\>ping <A HREF="javascript:newWin('http://www.yahoo.com')">www.yahoo.com</A>

Pinging <A HREF="javascript:newWin('http://www.yahoo-ht3.akadns.net')">www.yahoo-ht3.akadns.net</A> [209.131.36.158] with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 209.131.36.158:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Here is the same request from the PIX:

# ping outside 209.131.36.158

209.131.36.158 response received -- 20ms

209.131.36.158 response received -- 10ms

209.131.36.158 response received -- 10ms

And here is debug on the outside interface. It shows ping replys to the correct interface IP address.

# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

1: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=5478 4 length=40

2: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

3: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=54784 length=40

4: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55040 length=40

5: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

6: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55040 length=40

7: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55296 length=40

8: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

9: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55296 length=40

10: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55552 length=40

11: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

12: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55552 length=40

My ACLs:

access-list PUBLICHOSTS permit icmp any any echo-reply

icmp permit any echo-reply outside

My PPPoE config:

ip address outside pppoe setroute

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [MYPPPOEUSERNAME]

vpdn group pppoex ppp authentication pap

vpdn username [MYPPPOEUSERNAME] password *********

Is there something about PPPoE that could break ICMP replies?

My sanitized config is attached.

Thanks for your time!

Labels:
0 Helpful
1 Reply 1

r-lemaster
Level 1
Level 1

‎02-25-2008 08:43 AM

It looks like I forgot to apply my ACL to the interface that permitted ICMP in.

After applying the ACL, I can ping out again.

DUH.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card