Can't ping internal client from Pix 515

ejeangilles · ‎03-29-2012

I just setup my home network with Pix 515 acting as my router/firewall but I can't seem to ping my internal PC from my ASA. I can access the internet and ping my Pix 515 inside interface from my pc but I can't ping my pc from my Pix 515. I can also renew/release IP's from my PC. I also did a packet tracer and it says that it was dropped due to an access list but I have one in place. Also my switch has the default config. Below is my config

Internet <----> Comcast modem <-----> Pix 515 <-------> Cisco switch <-----> PC

MYFIREWALL# sh run

: Saved

:

PIX Version 8.0(4)28

!

hostname MYFIREWALL

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 173.x.x.114 255.255.255.248

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

ftp mode passive

clock timezone EST -5

access-list 101 extended permit icmp any host 192.168.1.5 echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 20000

logging buffered debugging

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) interface 10.10.10.103 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 173.x.x.118 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 68.87.68.162 68.87.74.162

!

dhcpd address 10.10.10.100-10.10.10.150 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

!

prompt hostname context

Cryptochecksum:61717969523c7b3fe51286c96c733c27

MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.103 detail$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x435ca18, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.10.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Plinio Brandao · ‎03-30-2012

Hi Edwin,

Maybe a simple question, but you have any firewall enabled at your PC? Some times we can do a ping, but we can't receive a ping.

Another test, if you create an ACL at INSIDE interface, permiting ICMP, what's the result?

Plínio Monteiro

zhohuang · ‎04-01-2012

plinio is right , you need to close your windows firewall from control plan.

here's another test way, you can make a span on your switch :

monitor session 1 source interface fx/x -> connect to pc

monitor session 1 destination interface fx/x -> conn to another pc which running a wireshark or sniffer.

it will help you to decide the packet lost in which segment.

ejeangilles · ‎04-01-2012

Sorry for the delay. After research I found out the problem was the that no ip directed broadcast was enabled on my switch vlan. Once I enabled it started working and ping was being received on my Pix.

zhohuang · ‎04-01-2012

Good job

Best regards.

Zhongyu Huang

From: ejeangilles

Date: 2012-04-02 09:55

To: Zhongyu Huang

Subject: - Re: Can't ping internal client from Pix 515

Home

Re: Can't ping internal client from Pix 515

created by Edwin Jean-Gilles in Firewalling - View the full discussion

Sorry for the delay. After research I found out the problem was the that no ip directed broadcast was enabled on my switch vlan. Once I enabled it started working and ping was being received on my Pix.

Reply to this message by going to Home

Start a new discussion in Firewalling at Home