ICMP is not working on firewall

Unanswered Question
Aug 6th, 2008
User Badges:

I have pix firewall 525 with IOS Version 8.0(3)

I have access-list applied both on inside and outside interface. Everything was working fine but today i m not able to ping firewall outside interface. only directly connected switches are able to ping firewall outside interface.


Firewall is configured for AAA server and authentication is working fine but firewall is not able to ping the AAA server.


ASDM and everything is working, only ping to the box is not working.


I have even allowed icmp any any on inside and outside interface.


Firewall is unable to reach the SNMP server. Server giving error unreachable.


Please see the attachement for configuration of firewall, plus logging at the end.


ASDM showing that the inside to outside traffic is denied by deny rule, though there is no deny rule even at the end of the access-list.


No body is able to ping the any interface of the firewall except the one core switch that is directly connected with firewall. Please see the attachement for firewall configuration.



Why it is happening, Please help me out.




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

The route to the 172.28.31.0 network is via the inside interface?


The SNMP server information is configured on the outside interface?


route outside 0.0.0.0 0.0.0.0 172.28.63.75 1


route inside 172.28.0.0 255.255.0.0 172.28.50.3 1

route inside 172.28.36.0 255.255.255.0 172.28.50.3 1

route inside 172.28.50.0 255.255.255.0 172.28.50.1 1



snmp-server host outside 172.28.31.176 community [email protected]

snmp-server host outside 172.28.31.177 community [email protected]

snmp-server host outside 172.28.31.178 community [email protected]


Where are the SNMP servers actually??


If they are on the outside, then add:-


route outside 172.28.31.0 255.255.255.0 172.28.63.75


Also for the AAA


aaa-server TACACS+ (outside) host 172.28.31.132

key waridtel0321

aaa-server TACACS+ (outside) host 172.28.31.133

key waridtel0321



HTH>

Tshi M Sun, 08/17/2008 - 16:08
User Badges:
  • Silver, 250 points or more

There is an implicit deny rule at the end of the acl. If you have an ACL, you need to specifically permit the traffic that you want otherwise it will be denied.

Marwan ALshawi Sun, 08/17/2008 - 20:08
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if u want the firewall to ping the server u need icmp echo-reply permited


like permit icmp any any outside echo-reply


so try to permit icmp [source] [distination] echo

icmp [source] [distination] echo-reply


regarding the required source and Dist. and the right interface



and for ur information

u can not ping any firewall interface from other interface this is in ASA !!


good luck


please if helpful rate

Actions

This Discussion