12-02-2012 10:16 PM - edited 03-11-2019 05:31 PM
Dear all,
I' d like to have some support for a very-basic PIX firewall configuration.
I 'm dealing with PIX 515E.
Inside hosts can ping inside interface , outside hosts outside interface and so on...
Simply i cannot ping outside interface from inside hosts,
Inside host-192.168.1.0
Outside - any host like google.com, or to check my isp link's dns ip.
I have attached the pix configuration text file to test and please suggest what i did wrong.
Thanks.
Pankaj.
12-02-2012 11:22 PM
Hi,
Try adding the configuration "fixup protocol icmp" to the configuration and try the ICMP again
- Jouni
12-03-2012 12:49 AM
Hi,
are you trying to ping outside hosts or the outside interface of the Pix , if this is the latter then it's impossible by design
and as far as i know there is no way to work around this.
Regards.
Alain
Don't forget to rate helpful posts.
12-05-2012 12:58 AM
Thanks for your reply cadet alan,
I am simply trying to ping my isp's dns server to check the internet link is up or not, or simply trying to ping www.google.com, like sites, before few weeks this was working fine, i was getting reply from all this things, but after doing some modifications in cisco pix515e by one of the enginner, i am facing this issue.
12-03-2012 12:48 PM
Hello Kiran,
The PIX/ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.
This apply for ICMP and management access to the unit, only ping or access will work to your direct connect interface.
Regards,
Juan Lombana
Please rate helpful posts.
12-05-2012 01:11 AM
Hi all,
Thanks all for the valueable reply's.
last time i have done modification with following commands to access cisco pix 515e from telnet from outside interface:
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip any any
access-list inside_access_out permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list 100 permit tcp any eq telnet host PIX_inside eq telnet
access-list 100 permit tcp any eq telnet host pix_outside eq telnet
access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet
after adding the above commands i am facing this, my internet link is up and working fine, but not able to get ping reply from internet isp or dns server ip, i.e- 202.56.230.5.
12-05-2012 01:16 AM
When you modified the outside interface ACL ,you have not permitted the ICMP. Try adding below command .It should work.
access-list 100 permit icmp any any
Pls rate the post if its helpful.
With Regards,
Safwan
12-05-2012 01:19 AM
Also,
To my understanding just adding the "fixup protocol icmp" to the configuration should allow the echo-reply messages back to the LAN host even though you have not opened ICMP on the outside ACL.
Did you add the "fixup" command earlier?
- Jouni
12-05-2012 01:55 AM
Hi Jouni,
I hav'nt added "fixup" command earlier, as linkis live and in use by the users, to avoid any interuption i hav'nt added, once the link is free i will try your suggestion.
THanks for your reply.
12-05-2012 02:05 AM
Hi,
It shouldnt affect your current network operation at all but if you want to be on the safe side while making changes thats understandable.
You could then go with Safwans suggestion/solution then thats above. Which is to open the ICMP in the access-list you have enabled on your outside interface at the moment.
As Safwan says, It does seem you have changed the ACL that you are using on the outside interface at some point.
access-list 100 permit tcp any eq telnet host PIX_inside eq telnet
access-list 100 permit tcp any eq telnet host pix_outside eq telnet
access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet
access-group 100 in interface outside
- Jouni
12-05-2012 08:30 PM
Thanks Jouni, safwan, Juan Lombana, alain..
All your feedback was very helpful, the command:
access-list 100 permit icmp any any
is very helpful in my configuration, now i am able to send echo and check my internet's link, or to check other outside ip's.
Thanks All..
Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: