Can't ping through the PIX

Unanswered Question
Apr 5th, 2008


I have a cisco PIX 515E.

I have 6 interfaces.

Off one of the interfaces is a cisco 871 router which i have setup to act as a gateway to access another network.

The internal interface sec level 100

The cisco_router interface sec level 80.

From the cisco internal interface I cannot ping anything on the internal LAN.

I am allowing traffic from the internal lan to communicate to the network via an ACL.

I am allowing the traffic from the range to access the internal network by allowing in an ACL into this interface.

I have setup icmp permit any cisco_Inside on the pix

I have setup a capture on this interface and can see matches from going to the the internal machine (It resolves a name as well) but nothing back.

I have setup a capture on the internal lan interface and cannot see matches sending back or replying to the subnet. So it's not even getting there.

I do not have access to troubleshoot from the internal lan which makes it hard.

I have a route on the cisco 871 to route to the internal range via the connecting interface on the pix but trace routes timeout first hop.

From the pix I can ping the interface on the cisco 871.

Does anyone have any ideas why I can't ping.

Will post cofigs if needed.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Sat, 04/05/2008 - 18:28


A few questions for you.

1. Is nat-control enabled in the firewall? If it is can you post the nat or static configuration?

2. Does your internal network know how to to route to or whatever address you may be translating to on the PIX?

3. Have you applied an access list on the inside interface?

If it's possible post a sanitized copy of the PIX configuration.



cameronjohn Sat, 04/05/2008 - 21:38

Hi Sundar,

I worked it out by doing:

static (inside,Gal_Inside) netmask otherwise known as transparent static translation.

However my setup is complex. I am using the cisco router to do natting to the ip which sits behind the pix inside interface.

I am natting this internal ip to the external range of the cisco 871 router which is (This range connects to the pix interface)

ip nat inside source static

I then will terminate an ipsec vpn from a third party to the pix. Traffic from the third party will then route to the cisco interface and then hopefully translate the address to the internal ip

This setup would work on a cisco router but the pix is a different beast.

What do you think my chances of success are?

I can get to the internet from the cisco router so nat outbound works fine.



sundar.palaniappan Sun, 04/06/2008 - 08:01


I am not sure I have understood your setup correctly.

However, I believe what you are describing would work without VPN. You can translate on both the 871 and PIX and it would work just fine. But, if you expect traffic to come through the VPN tunnel, which terminates on the PIX outside, but expect translation for that to be done on the 871 then it wouldn't work as the 871 would be a pass-through device in the IPSEC path.

There's a good chance that I may have misunderstood your setup and in which case can you post a sanitized copy of the PIX and 871 configuration and that would make it much easier to say anything for sure.




This Discussion