Pix 515 return ping response???

Unanswered Question
Apr 4th, 2012
User Badges:

I have a simple home network setup with Comcast as my ISP and I'm using a Cico Pix 515 as my router/firewall. I had to simplify it to rule out any other issues.
My Cisco Pix 515 has a static Public IP address and I'm also running DHCP on it as well. Everything works ok as far as internet access, asdm, and releasing/renewing IPs. What I don't understand is why I can't ping my internal PC from the inside interface of my Pix firewall. I get the ping response of ????. I can ping my inside interface from my pc just fine. I also have ACL's in place as you can see from my config. Also, my window firewall is disabled on my pc. Anyone can tell me what I'm missing or what it can be. I also used another switch and had the same issue.

Comcast modem (bridge mode)
Pix 515

: Saved
PIX Version 8.0(4)28
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 173.x.x.114
interface Ethernet1
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet1.10
vlan 10
nameif inside
security-level 100
ip address
interface Ethernet1.20
vlan 20
no nameif
no security-level
no ip address
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 20000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
access-group 101 in interface outside
access-group 101 in interface inside
route outside 173.x.x.118 1
timeout xlate 3:00:00
timeout conn 9:09:09 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http outside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns
dhcpd domain aejg.net
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
prompt hostname context
: end
MYFIREWALL# packet-tracer input inside icmp 8 0 detail$

Phase: 1
Result: ALLOW
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4392f78, priority=1, domain=permit, deny=false
hits=130328, user_data=0×0, cs_id=0×0, l3_type=0×8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Result: ALLOW
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Subtype: input
Result: ALLOW
Additional Information:
in inside

Phase: 4
Result: DROP
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4397fb8, priority=500, domain=permit, deny=true
hits=0, user_data=0×6, cs_id=0×0, reverse, flags=0×0, protocol=0
src ip=, mask=, port=0
dst ip=, mask=, port=0, dscp=0×0

input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
PAUL GILBERT ARIAS Wed, 04/04/2012 - 11:00
User Badges:
  • Silver, 250 points or more

I just noticed that you have the interface E1 configured with subinterfaces. Do you have the switchport configured as a trunk?

ejeangilles Wed, 04/04/2012 - 11:30
User Badges:

Thanks for the response!  I had just moved that to the subinterface to test something. Originally, I had the IP on the physical interface with no subinterface. I'll also run that config in another hour or 2 and let you know what happens.

ejeangilles Wed, 04/04/2012 - 14:31
User Badges:

I ran that command and its not available. I'm running Pix515 8.04

MYFIREWALL# clear con?

  conn    console-output 

PAUL GILBERT ARIAS Wed, 04/04/2012 - 15:05
User Badges:
  • Silver, 250 points or more

you have to try the command in config mode. If that doesn't work use the command "no icmp permit any inside"

ejeangilles Wed, 04/04/2012 - 19:06
User Badges:

It's still not available.

pixfirewall(config)# clear co?

configure mode commands/options:

exec mode commands/options:
  conn    console-output    counters 

I removed the icmp permit any inside and it still doesn't work. I still get the ???? when I ping my internal pc

ejeangilles Thu, 04/05/2012 - 05:53
User Badges:

Problem resolved. It was the firewall on my Windows 7 pc. Weird, I stopped and disabled the firewall service and even restarted afterwards and it wasn't getting ping responses. It wasn't until I created an inbound rul on the firewall to allow all icmp is when it started working. Thanks for all your help and advice.


This Discussion