Solved: Ping Out to In on PIX 501 - Can't seem to make it work

nagel · ‎11-10-2008

I am trying to allow ICMP coming in from an outside host (192.168.10.100) to ping an inside host (10.10.233.100) through a PIX 501 running v 6.3.5

The outside interface is address 192.168.10.10 and the inside interface is address 10.10.233.10

I have the following configured on the PIX :

access-list out_to_in permit ICMP any any

access-group out_to in interface outside

static (inside, outside) 192.168.10.50 10.10.233.100 netmask 255.255.255.255

When running a Debug ICMP Trace I do see the transalation happening which translates the ping address (192.168.10.50) to the inside host address (10.10.233.100)

All tseems to be working as it should but I do not receive a ping response (echo-reply) on the outside host.

Any thoughts would be greatly appreciated. Thanks

Jon Marshall · ‎11-10-2008

Okay, time for a bit of debugging :-)

1) debug packet inside src 192.168.10.100

do you see packets leaving the inside interface going to 10.10.233.10 ? If yes

2) debug packet inside dst 192.168.10.100

do you see packets returning from 10.10.233.10 to 192.168.10.100

One other thing - you are ping 192.168.10.50 from 192.168.10.100 ?

Jon

View solution in original post

acomiskey · ‎11-10-2008

Did you mean "access-group out_to_in in interface outside"?

nagel · ‎11-10-2008

Yea, man I got some fat fingers

John Blakley · ‎11-10-2008

I don't know if this will make a difference, but do you have an ACL in the inside interface? If so, you can try to allow the connection from the 10.10.233.100 address.

--John

HTH, John *** Please rate all useful posts ***

nagel · ‎11-10-2008

No Inside ACL so none of that should apply

Jon Marshall · ‎11-10-2008

Is 10.10.233.10 directly connected on the inside interface of the pix ?

If not is there a route to point 192.168.10.x network back to the inside interface of the pix so the return traffic gets back to your outside host ?

Jon

nagel · ‎11-10-2008

Yes directly connected and shows as such in sh route

John Blakley · ‎11-10-2008

After you created your static, did you clear your xlate table? The static won't take effect until that's done.

--John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-10-2008

Okay, time for a bit of debugging :-)

1) debug packet inside src 192.168.10.100

do you see packets leaving the inside interface going to 10.10.233.10 ? If yes

2) debug packet inside dst 192.168.10.100

do you see packets returning from 10.10.233.10 to 192.168.10.100

One other thing - you are ping 192.168.10.50 from 192.168.10.100 ?

Jon

nagel · ‎11-10-2008

All - I tried the same lab test on a different box (PIX 520) using the same parameters (including V 6.3.5) and badda-bing...All working as it should. So now I am left to wonder what the heck is up with the 501. I think I am getting to set back to factory and start over with it and see if that makes any difference. Thanks to all for the great suggestions (especially the debug packet info as I had not used that in the past).

Anyway - suffice to say I have seen strnger things in the past but not today.