Pix 515 return ping response???

Unanswered Question
Apr 4th, 2012

I have a simple home network setup with Comcast as my ISP and I'm using a Cico Pix 515 as my router/firewall. I had to simplify it to rule out any other issues.
My Cisco Pix 515 has a static Public IP address and I'm also running DHCP on it as well. Everything works ok as far as internet access, asdm, and releasing/renewing IPs. What I don't understand is why I can't ping my internal PC from the inside interface of my Pix firewall. I get the ping response of ????. I can ping my inside interface from my pc just fine. I also have ACL's in place as you can see from my config. Also, my window firewall is disabled on my pc. Anyone can tell me what I'm missing or what it can be. I also used another switch and had the same issue.

Internet
|
|
|
Comcast modem (bridge mode)
|
|
|
  (173.x.x.114)
Pix 515
  (10.10.10.1)
|
|
|
Switch
|
|
|
PC

MYFIREWALL# sh run
: Saved
:
PIX Version 8.0(4)28
!
hostname MYFIREWALL
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 173.x.x.114 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet1.10
vlan 10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1.20
vlan 20
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 20000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 173.x.x.118 1
timeout xlate 3:00:00
timeout conn 9:09:09 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.68.162 68.87.74.162
dhcpd domain aejg.net
!
dhcpd address 10.10.10.105-10.10.10.150 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:ed3a9e8e32f486f73ad65f0ce7a95b3f
: end
————————
MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.105 detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4392f78, priority=1, domain=permit, deny=false
hits=130328, user_data=0×0, cs_id=0×0, l3_type=0×8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4397fb8, priority=500, domain=permit, deny=true
hits=0, user_data=0×6, cs_id=0×0, reverse, flags=0×0, protocol=0
src ip=10.10.10.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0×0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

——————————–
MYFIREWALL# ping 10.10.10.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.105, timeout is 2 seconds:
?????

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Paul Gilbert Arias Wed, 04/04/2012 - 11:00

I just noticed that you have the interface E1 configured with subinterfaces. Do you have the switchport configured as a trunk?

ejeangilles Wed, 04/04/2012 - 11:30

Thanks for the response!  I had just moved that to the subinterface to test something. Originally, I had the IP on the physical interface with no subinterface. I'll also run that config in another hour or 2 and let you know what happens.

ejeangilles Wed, 04/04/2012 - 14:31

I ran that command and its not available. I'm running Pix515 8.04

MYFIREWALL# clear con?

  conn    console-output 

Paul Gilbert Arias Wed, 04/04/2012 - 15:05

you have to try the command in config mode. If that doesn't work use the command "no icmp permit any inside"

ejeangilles Wed, 04/04/2012 - 19:06

It's still not available.

pixfirewall(config)# clear co?

configure mode commands/options:
  configure 

exec mode commands/options:
  conn    console-output    counters 

I removed the icmp permit any inside and it still doesn't work. I still get the ???? when I ping my internal pc

ejeangilles Thu, 04/05/2012 - 05:53

Problem resolved. It was the firewall on my Windows 7 pc. Weird, I stopped and disabled the firewall service and even restarted afterwards and it wasn't getting ping responses. It wasn't until I created an inbound rul on the firewall to allow all icmp is when it started working. Thanks for all your help and advice.

Actions

Login or Register to take actions

This Discussion

Posted April 4, 2012 at 10:45 AM
Stats:
Replies:7 Avg. Rating:
Views:540 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446