PIX or router issue

Unanswered Question
Feb 11th, 2009

Following is a lab topology:

I cannot ping from interent(LAB) router to the inside interface of pix as well as lan.

ALso cannot ping outside interface of Pix from lan but can ping the system on internet(LAB) .

Can anyone help .

Thanks in advance.

system A ------>switch------->LAN Router---->firewall--->Internet Router----->Switch----->System B

System A IP:10.1.2.5/24

gateway: 10.1.2.1

System B ip:172.16.10.5/24

-------------------------------------

LAN Router Configuration:

interface Ethernet0/0

ip address 10.1.2.1 255.255.255.0

half-duplex

!

interface Ethernet0/1

ip address 10.1.1.2 255.255.255.0

half-duplex

ip route 0.0.0.0 0.0.0.0 10.1.1.1

---------------------------------------

PIX configuration:

interface Ethernet0

nameif outside

security-level 0

ip address 10.165.200.226 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any any eq smtp

global (outside) 1 10.165.200.227-10.165.200.254 netmask 255.255.255.224

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.165.200.228 10.1.2.5 netmask 255.255.255.255

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.165.200.225 1

route inside 10.1.2.0 255.255.255.0 10.1.1.2 1

---------------------------------------------------

Internet Router:

interface Ethernet0

ip address 10.165.200.225 255.255.255.224

half-duplex

!

interface FastEthernet0

ip address 172.16.10.1 255.255.255.0

speed auto

-------------------------------------------------

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
seekhpar121 Wed, 02/11/2009 - 20:13

Hi,

Thanks for your response.

FRom system A:

1)CAN ping System B.

2)CANNOT ping outside interface of pix

3)CAN ping ETH0 of internet router connected to outisde interface of pix.

From PIX:

Can ping Internet router as well as System B:

From Internet Router:

Cannot ping Inisde interface of PIX:

From System B:

When ping inside interface of pix:Result is

Reply from 172.16.10.1:destination host unreachable

Waiting for more replies.

Thanks

This is normal behaviour.

From the outside of the pix you will not be able to ping the inside IP. From the inside of the pix you will not be able to ping the outside IP = all normal for the PIX.

For your network connectivity tests that prove the network from end to end will be:-

system A ping switch = OK

system A ping LAN Router = OK

system A ping firewall inside = OK

system A ping internet router = OK

The above proves the system A side 100%

system B ping switch = OK

system B ping internet router = OK

system B ping firewall outside = OK

system B ping LAN router = OK

The above proves the system B side 100%

system B ping system A = OK

That means you have 100% end to end connectivity.

HTH>

seekhpar121 Thu, 02/12/2009 - 20:09

system B cannot ping LAN Router,

Response is

Reply from 172.16.10.1(internet Router ip),destination host unreachable.

Also System B cannot ping System A.

PIX os is v8.0(3)

seekhpar121 Fri, 02/13/2009 - 06:21

Following is the internet router configuration.

Internet Router:

interface Ethernet0

ip address 10.165.200.225 255.255.255.224

half-duplex

!

interface FastEthernet0

ip address 172.16.10.1 255.255.255.0

speed auto

seekhpar121 Fri, 02/13/2009 - 19:40

AT PIX for allowing icmp as well as routes and static natting of system A

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-group 100 in interface outside

static (inside,outside) 10.165.200.228 10.1.2.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 10.165.200.225 1

route inside 10.1.2.0 255.255.255.0 10.1.1.2 1

Actions

This Discussion