PIX 515E unable to ping outside from inside

Unanswered Question
Dec 2nd, 2012

Dear all,

I' d like to have some support for a very-basic PIX firewall configuration.

I 'm dealing with  PIX 515E.

Inside hosts can ping inside interface , outside hosts outside interface and so on...

Simply i cannot ping outside interface from inside hosts,

Inside host-192.168.1.0

Outside - any host like google.com, or to check my isp link's dns ip.

I have attached the pix configuration text file to test and please suggest what i did wrong.

Thanks.

Pankaj.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jouni Forss Sun, 12/02/2012 - 23:22

Hi,

Try adding the configuration "fixup protocol icmp" to the configuration and try the ICMP again

- Jouni

cadet alain Mon, 12/03/2012 - 00:49

Hi,

are you trying to ping outside hosts or the outside interface of the Pix , if this is the latter then it's impossible by design

and as far as i know there is no way to work around this.

Regards.

Alain

Don't forget to rate helpful posts.

kiranthakur Wed, 12/05/2012 - 00:58

Thanks for your reply cadet alan,

I am simply trying to ping my isp's dns server to check the internet link is up or not, or simply trying to ping www.google.com, like sites, before few weeks this was working fine, i was getting reply from all this things, but after doing some modifications in cisco pix515e by one of the enginner, i am facing this issue.

julomban Mon, 12/03/2012 - 12:48

Hello Kiran,

The PIX/ASA only responds to ICMP  traffic sent to the interface that traffic comes in on; you cannot send  ICMP traffic through an interface to a far interface.

This apply for ICMP and management access to the unit, only ping or access will work to your direct connect interface.

Regards,

Juan Lombana

Please rate helpful posts.

kiranthakur Wed, 12/05/2012 - 01:11

Hi all,

Thanks all for the valueable reply's.

last time i have done modification with following commands to access cisco pix 515e from telnet from outside interface:

access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip any any

access-list inside_access_out permit ip any any

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list outside_cryptomap_30 permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list 100 permit tcp any eq telnet host PIX_inside eq telnet

access-list 100 permit tcp any eq telnet host pix_outside eq telnet

access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet

after adding the above commands i am facing this, my internet link is up and working fine, but not able to get ping reply from internet isp or dns server ip, i.e- 202.56.230.5.

Muhammed Safwan... Wed, 12/05/2012 - 01:16

When you modified the outside interface ACL ,you have not permitted the ICMP. Try adding below command .It should work.

access-list 100 permit icmp any any

Pls rate the post if its helpful.

With Regards,

Safwan

Jouni Forss Wed, 12/05/2012 - 01:19

Also,

To my understanding just adding the "fixup protocol icmp" to the configuration should allow the echo-reply messages back to the LAN host even though you have not opened ICMP on the outside ACL.

Did you add the "fixup" command earlier?

- Jouni

kiranthakur Wed, 12/05/2012 - 01:55

Hi Jouni,

I hav'nt added "fixup" command earlier, as linkis live and in use by the users, to avoid any interuption i hav'nt added, once the link is free i will try your suggestion.

THanks for your reply.

Jouni Forss Wed, 12/05/2012 - 02:05

Hi,

It shouldnt affect your current network operation at all but if you want to be on the safe side while making changes thats understandable.

You could then go with Safwans suggestion/solution then thats above. Which is to open the ICMP in the access-list you have enabled on your outside interface at the moment.

As Safwan says, It does seem you have changed the ACL that you are using on the outside interface at some point.

access-list 100 permit tcp any eq telnet host PIX_inside eq telnet

access-list 100 permit tcp any eq telnet host pix_outside eq telnet

access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet

access-group 100 in interface outside

- Jouni

kiranthakur Wed, 12/05/2012 - 20:30

Thanks Jouni, safwan, Juan Lombana, alain..

All your feedback was very helpful, the command:

access-list 100 permit icmp any any

is very helpful in my configuration, now i am able to send echo and check my internet's link, or to check other outside ip's.

Thanks All..

Regards.

Actions

Login or Register to take actions

This Discussion

Posted December 2, 2012 at 10:16 PM
Stats:
Replies:10 Overall Rating:4
Views:2204 Votes:0
Shares:0

Related Content

 

Discussions Leaderboard

Rank Username Points
1
Jouni Forss
8,441
2
Julio Carvajal
6,223
3
Jon Marshall
3,325
4
Marvin Rhoads
2,498
5
Marius Gunnerud
1,695
Rank Username Points
Jon Marshall
125
Andre Neethling
45
Marius Gunnerud
37
Jouni Forss
35
Marvin Rhoads
34