cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
701
Views
0
Helpful
12
Replies

cann't ping any website

junaid haroon
Level 1
Level 1

Hi,

I have PIX 515e firewall i can surf the internet due to global NATING in firewall.But i am confused i cannot ping any website fron my any LAN computer.

1 Accepted Solution

Accepted Solutions

Hi,

It only allows reply messages to come through the firewall for which you have sent the original ICMP Echo message.

- Jouni

View solution in original post

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Might be due to missing the ICMP Inspection/Fixup

They could be added with the following commands

fixup protocol icmp

fixup protocol icmp error

- Jouni

Hi

Can you please explain how i check it and waht is purpose of fixup protocol in PIX.

Hi,

Well I am not sure what your software version is. If you have 7.x (or newer) software level then you could probably use the command

show run policy-map

They would be shown as "inspect icmp" and "inspect icmp error"

If you have a 6.x software then I would suggest just using

show run

The "fixup" configurations would then be at the very start of the configurations.

There are 2 different formats of the command. The "fixup" is the old and the "inspect" is the new one. They are essentially the same thing.

The ICMP Inspection is meant to enable the firewall to keep track of ICMP Echos sent through it and the replys arriving back through the firewall. If you have not enabled it, you would have to allow ICMP Echo reply on the ACL attached to the "outside" interface.

Hope this helps

- Jouni

Hi,

I have following  os version of my firweall

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name makkays.com

clock timezone PKT 5

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

If i will allow on ACL that is attached to my outside interface.it will create problems i want no one can ping my Firewall outside inside.

Hi,

Then you should add the commands

fixup protocol icmp

fixup protocol icmp error

As you can see they are not listed in the above configuration.

Adding them wont allow ICMP from "outside" to "inside". It will simply make it possible that the firewall will allow the Echo Reply message back to the "inside" host when it has sent the ICMP Echo messge through the firewall.

Also with the ACL solution you dont have to allow ICMP Echo through the firewall. It would just be Echo Reply messages that are a reply to an ICMP Echo sent from behind your firewall. But adding the "fixup" commands is a better choice.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

clock timezone PKT 5

fixup protocol dns maximum-

fixup protocol ftp 21

fixup protocol h323 h225 17

fixup protocol h323 ras 171

fixup protocol http 80

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

And when i try to add one of above command it gives me the error

pixfirewall# conf t

pixfirewall(config)# fixup protocol icmp

Usage: [no] fixup protocol icmp error

pixfirewall(config)#

And i am still cann't ping any website

Hi,

I guess it was a bit different on the older softwares.

Seems you will just need to add

fixup protocol icmp error

- Jouni

I add above one but still can't ping???

Or,

You could possibly add following ACL lines to your ACL attached to the "outside" interface. Naturally with the ACL name you currently have

access-list OUTSIDE-ACL permit icmp any any echo-reply

access-list OUTSIDE-ACL permit icmp any any source-quench

access-list OUTSIDE-ACL permit icmp any any unreachable

access-list OUTSIDE-ACL permit icmp any any time-exceeded

- Jouni

Please confirm me by adding this any one can ping my outside interface from internet??/

Hi,

It only allows reply messages to come through the firewall for which you have sent the original ICMP Echo message.

- Jouni

Thanks I have added above command in ACL .Its Start pinging.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: