03-29-2012 03:39 PM - edited 03-11-2019 03:48 PM
I just setup my home network with Pix 515 acting as my router/firewall but I can't seem to ping my internal PC from my ASA. I can access the internet and ping my Pix 515 inside interface from my pc but I can't ping my pc from my Pix 515. I can also renew/release IP's from my PC. I also did a packet tracer and it says that it was dropped due to an access list but I have one in place. Also my switch has the default config. Below is my config
Internet <----> Comcast modem <-----> Pix 515 <-------> Cisco switch <-----> PC
MYFIREWALL# sh run
: Saved
:
PIX Version 8.0(4)28
!
hostname MYFIREWALL
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 173.x.x.114 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
access-list 101 extended permit icmp any host 192.168.1.5 echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 20000
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 10.10.10.103 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 173.x.x.118 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.68.162 68.87.74.162
!
dhcpd address 10.10.10.100-10.10.10.150 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:61717969523c7b3fe51286c96c733c27
MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.103 detail$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x435ca18, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.10.10.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-30-2012 08:31 AM
Hi Edwin,
Maybe a simple question, but you have any firewall enabled at your PC? Some times we can do a ping, but we can't receive a ping.
Another test, if you create an ACL at INSIDE interface, permiting ICMP, what's the result?
Plínio Monteiro
04-01-2012 07:44 AM
plinio is right , you need to close your windows firewall from control plan.
here's another test way, you can make a span on your switch :
monitor session 1 source interface fx/x -> connect to pc
monitor session 1 destination interface fx/x -> conn to another pc which running a wireshark or sniffer.
it will help you to decide the packet lost in which segment.
04-01-2012 06:55 PM
Sorry for the delay. After research I found out the problem was the that no ip directed broadcast was enabled on my switch vlan. Once I enabled it started working and ping was being received on my Pix.
04-01-2012 06:57 PM
Good job
Best regards.
Zhongyu Huang
From: ejeangilles
Date: 2012-04-02 09:55
To: Zhongyu Huang
Subject: - Re: Can't ping internal client from Pix 515
Home
Re: Can't ping internal client from Pix 515
created by Edwin Jean-Gilles in Firewalling - View the full discussion
Sorry for the delay. After research I found out the problem was the that no ip directed broadcast was enabled on my switch vlan. Once I enabled it started working and ping was being received on my Pix.
Reply to this message by going to Home
Start a new discussion in Firewalling at Home
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: