PIX unable to ping outside from inside

Answered Question
Aug 8th, 2011

Dear all,

I' d like to have some support for a very-basic PIX firewall configuration.

I 'm dealing with  PIX 515 's inside/outside/dmz zones.

Inside hosts can ping inside interface , outside hosts outside interface and so on....

I cannot ping outside interface from inside hosts.

(i.e  ping 192.168.02 from 10.10.10.100)

inside network 10.10.10.0/24

outside network 192.168.0.0/24

I think i properly set nat and access lists, and furthermore from icmp trace it seems that translation is perfomed, but echo -reply is missing.

in the attached file you can find the pix configuration and test.

I think that some PIX expert can easily find out the problem

thanks for the support

Mauro

I have this problem too.
0 votes
Correct Answer by varrao about 2 years 8 months ago

Hi Mauro,

Thats good, I am glad I was able to clear your doubts

Take care

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
varrao Mon, 08/08/2011 - 00:11

Hi Mauro,

Due to design issues, you would never be able to ping a remote interface on the ASA, this is not possible, although you can ping hosts which are connected to these two interfaces, if you are facing an issue with that, do let me know.

Hope this helps,

Thanks,

Varun

fattore73 Mon, 08/08/2011 - 01:37

Dear Varun, thanks for the reply

   I'm not dealing with ASA , but with a Pix515 : i tested that outside interface replies to ping ( from outside hosts) and I've  read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping"

That's happen if operator enable icmp any any outside and  define an access-lis in this way:

"access-list acl_out permit icmp  any any"

and apply to outside interface

"access-group acl_out in interface outside"

I executed the last 2 tasks but ping from inside host (10.10.10.100) to outside interface (192.168.0.2) sistematically fails.

I cannot even ping from inside host ( 10.10.10.100) to an outside host ( 192.168.0.x)

PiX firewall send the echo-request to outside I guess ( because NAT translations occurs) but no echo-reply ever happens.

varrao Mon, 08/08/2011 - 01:45

Hi Mauro,

M sorry, i meant PIX, but it is true for pix as well, you would not be able to ping remote interafce on the firewall.

"I've  read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping" "

What this means is if you have two hosts connected to the inside and outside, then it would ping, like:

host1 ----------------------------outside(PIX)inside----------------------------------host2

10.1.1.1                         10.1.1.2         20.1.1.2                              20.1.1.1

Now you would be able to ping from host2 to host1 but not host2 to outside interface, that is not possible.

For pinging from host2 to host1, you would need the following config:

access-list out_in permit icmp any any

access-group out_in in interface outside

nat (inside) 1 20.1.1.1 255.255.255.255

global (outside) 1 interface

this should work for you.

Hope this helps.

Thanks,

Varun

fattore73 Mon, 08/08/2011 - 02:44

Your drawing is a good idea and useful to undestand the matter. I try to track again your approach :

in my case host2 (20.1.1.1) can ping inside( 20.1.1.2) ........ ok!!

                  host1(10.1.1.1) can ping outside(10.1.1.2)  ........ok!!

   I can take for grant that host2 cannot ping outside interface ( from you statement). ...........ok!!!

   You finally state that host2 can ping host 1 with the following additional commands:

  a)access-list out_in permit icmp any any ---> got it ( access-list acl_out permit icmp any any)...ok!!

  b)access-group out_in in interface outside----> got it ( access-group acl_out in interface outside)....ok!!!

  c) " nat (inside) 1 20.1.1.1 255.255.255.255"    ------> should not be act as my command "nat(inside) 1 0 0 "??

  d) global (outside) 1 interface -----> what does it excutes? natting with  only-outside interface ip address?

                                                  should not be similar to  my command "global (outside) 1 192.168.0.10-                                                  192.168.0.62"  which instead define a pool of outside addresses for natting?

If these assumptions are true, I would already have nat and global command in my configuration properly set , but I tested that host2 cannot ping host1 up to now.

varrao Mon, 08/08/2011 - 02:59

Hi Mauro,

The nat statements that i gave you were only for reference, you can use any value that you want.

you can either use:

nat (inside) 1 20.1.1.1 255.255.255.255

global (outside) 1 interface

or

nat(inside) 1 0 0

global (outside) 1 192.168.0.10-192.168.0.62

both are correct.

Now you said that you are not able to ping host2 from host1????

to troubleshoot it, plz take logs and debugs and check where the traffic dropping.

Take captures as well. As per the configuration it should work.

https://supportforums.cisco.com/docs/DOC-1222

Thanks,

Varun


fattore73 Mon, 08/08/2011 - 04:14

Thanks for the hint!

  I'll test again with capture switch on . Hope this help to collect more info

regards

  Mauro

fattore73 Tue, 08/09/2011 - 01:17

The configuration was correct. host1 can ping host2.

I was only wrongly testing cause i was referencing outside interface, that , as you said never answers to ping.

Thanks for the support!

Mauro

Correct Answer
varrao Tue, 08/09/2011 - 01:20

Hi Mauro,

Thats good, I am glad I was able to clear your doubts

Take care

Actions

Login or Register to take actions

This Discussion

Posted August 8, 2011 at 12:08 AM
Stats:
Replies:8 Avg. Rating:5
Views:1500 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446