Request help on a PIX 515E - will not ping from CLI to outside

kgreene2 · ‎12-21-2009

Hi:

I am trying to learn about the Cisco security products such as the PIX and ASA products so when the security staff speak to me about things they need to accomplish, I do not come across as a complete fool. To become a bit more "aware", I decided to set up a tiny lab and see what a PIX can really accomplish and to learn more about what the staff is trying to do.

Having configured it both with the command line and also with an attempt using the web interface, I am still unable to pass traffic from the inside to the outside. I am sure it is something really stupid. I did buy the Cisco book (Cisco Secure PIX firewalls - very useful) and tried to use some of the examples in this book.

Attached is my configuration. I have removed the sensitive data of the test and the external public network. The PIX sits behind an edge router which has public IP on both sides.

Any ideas would be great. I am sure it is a simple issue.

Thank you

Kevin

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname gateway
domain-name example.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080
fixup protocol mgcp 2424
fixup protocol mgcp 2727
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.126 frog
access-list outside_access_in remark Incoming SMTP traffic to frog
access-list outside_access_in permit tcp any gt 1023 host frog eq smtp
pager lines 150
logging on
logging timestamp
logging buffered debugging
logging trap informational
logging history warnings
logging host inside natalie
icmp permit 111.111.111.0 255.255.255.0 echo outside
icmp permit 192.168.0.0 255.255.255.0 echo inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 111.111.111.10 255.255.255.0
ip address inside 192.168.0.254 255.255.255.0
ip address dmz 172.16.3.1 255.255.255.0
ip audit name outside info action alarm
ip audit interface outside outside
ip audit info action alarm
ip audit attack action alarm
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 111.111.111.8-111.111.111.9 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 111.1.111.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 111.111.111.0 255.255.255.0 outside
http 192.168.0.0 255.255.0.0 inside
snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1500
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
url-block url-mempool 2
url-block url-size 2
terminal width 100

Kureli Sankar · ‎12-21-2009

What traffic is failing?

You say unable to ping from CLI to outside. You tried to ping 111.1.111.1 from the firewall and that didn't work?

You may want to remove this line for now until you get done testing so, ICMP is not restricted.

icmp permit 111.111.111.0 255.255.255.0 echo outside

nat/route/permission look good.

Add the following:

fixup protocol icmp

For other broken traffic pls. check the logs.

sh logg | i x.x.x.x

where x.x.x.x is the ip address of a test host on the inside.

-KS

kgreene2 · ‎12-21-2009

Hi:

I did the changes you suggested.

The log entries are:

gateway# show logging | grep 111.111.111.1
400010: IDS:2000 ICMP echo reply from 111.111.111.1 to 111.111.111.10 on interface outside
313001: Denied ICMP type=0, code=0 from 111.111.111.1 on interface 0

So it looks like there is some rule that is not allowing echo-replys back to the inside user.

I also tried this:

gateway# clear xlate
gateway# ping 111.111.111.1
        111.111.111.1 NO response received -- 1000ms
        111.111.111.1 NO response received -- 1000ms
        111.111.111.1 NO response received -- 1000ms
gateway#

Thanks...

Kevin

wotishalang · ‎12-21-2009

Hi Kevin,

There's no built-in fixup protocol for ICMP. The firewall allows the outbound traffic for icmp but drops the return traffic. To be able to do a ping from inside hosts to outside, you need to add a line on your acl that will permit icmp to pass thru.

access-list outside_access_in remark Incoming SMTP traffic to frog
access-list outside_access_in permit tcp any gt 1023 host frog eq smtp

access-list outside_access_in permit icmp any any ---> try to add this line

** Note ** I assume that you want to send icmp traffic from inside to outside for connectivity testing only. I suggest that you remove the "permit icmp any any" once you're done with your testing for best practice.

Hope this helps.

Kureli Sankar · ‎12-22-2009

Notice the syslogs say IDS...

Try to remove these lines.

ip audit name outside info action alarm
ip audit interface outside outside
ip audit info action alarm
ip audit attack action alarm

Also, the ACL that you apply on the outside interface to permit replies is only for "THROUGH" the box traffic only when you ping from an inside host. You mentioned you are ping-ing from the firewall CLI so, that is "TO" and "FROM" the box traffic. ACL applied on the interface will not have any effect.

-KS