04-26-2007 02:36 AM - edited 03-11-2019 03:04 AM
Hi please Help if you can
I'm trying to access from the outside interface using ping from a router 172.24.16.5, where there is a
ip route 172.24.16.8 255.255.255.255 172.24.16.7
The device i'm trying to ping is on the inside side of the pix and has ip of 10.10.10.175 and responds to ping from the PIX
the router 172.24.16.5 on the outside side of the pix also reponds to pings from the pix
Enabling debug iCMP trace and pinging 172.24.16.8 from the router 172.24.16.5 i do get the following messages
----------------------------------------------------------------------------------------------------
macaefw2# debug icmp trace
ICMP trace on
Warning: this may cause problems on busy networks
macaefw2# 102: ICMP echo-request from outside:172.24.16.5 to 172.24.16.8 ID=56 seq=0 length=80
103: ICMP echo-request: untranslating outside:172.24.16.8 to inside:10.10.10.175
104: ICMP echo-request from outside:172.24.16.5 to 172.24.16.8 ID=56 seq=1 length=80
105: ICMP echo-request: untranslating outside:172.24.16.8 to inside:10.10.10.175
From the sh log enabled i do see
--------------------------------
605005: Login permitted from 172.22.20.142/3876 to outside:172.24.16.7/ssh for user "acergy"
111008: User 'enable_15' executed the 'debug icmp trace' command.
106100: access-list acl_outside permitted icmp outside/172.24.16.5(0) -> inside/172.24.16.8(8) hit-cnt 1 (first hit)
Also doing sh Xlate i see
---------------------------
1 in use, 1 most used
Global 172.24.16.8 Local 10.10.10.175
The full configuration is below. Can you please tell me why ping does not work?
-------------------------------------------------------------------------------
Solved! Go to Solution.
04-26-2007 06:01 AM
Hi
Yes if you initiate the connection from the device it probably won't work.
What you could do that may work is. Instead of natting the router IP 172.24.16.5 to the inside pix interface you could NAT it to spare 10.10.10.x address. This address needs to be in the same subnet as your .175 server.
So say 10.10.10.182 is spare.
nat (outside) 1 172.24.16.5 255.255.255.255 outside
global (inside) 1 10.10.10.182
If the address is in the same subnet as the pix internal interface then the pix should respond to the arp from your .175 server.
So from the .175 server you need to ping 10.10.10.182.
It might not work but it would be worth a try.
HTH
Jon
04-26-2007 06:10 AM
Hi
Amendment to previous post.
Use spare IP address 10.10.10.182.
Don't use NAT and global statements, so remove the existing one you setup for this.
Add
static (outside,inside) 10.10.10.182 172.16.24.5 netmask 255.255.255.255
Apologies for this
HTH
Jon
04-26-2007 03:12 AM
silly question: the host 10.10.10.175 has the a route back to the pix for the network 172.24.16.0/24 or default gateway?
Cheers,
Emilio
04-26-2007 03:33 AM
Not silly at all. The divice is display that controls a big crane. Route probably cannot be configured on it. I'm trying a proper PC on the same network this afertnooon. Also i thing that the IP setting on the display are IP 10.10.10.175 255.255.255.0 and no default gateway
04-26-2007 03:25 AM
In order for you to initiate traffic from the outside, you either need a static mapping from an outside address to an inside address. Or to exempt the traffic from translation using a "nat 0" command.
04-26-2007 03:27 AM
If you look the config file (Pix Problem.txt), he have an static already for this.
static (inside,outside) 172.24.16.8 10.10.10.175 netmask 255.255.255.255 0 0
Emilio
04-26-2007 04:55 AM
Hi
As already suggested it does look like it could be a routing issue.
If the pix can ping the server on it's 10.10.10.175 address one thing you could do is translate the 172.24.16.5 address to the IP address of the internal interface of the pix ie
nat (outside) 1 172.24.16.5 255.255.255.255 outside
global (inside) 1 interface
One caveat is that its clear on your full topology so this might mess other things up.
HTH
Jon
04-26-2007 05:44 AM
Thanks that sort the issue. Can you please just clarify that it might not be working the other way because of the lack of defult gateway configuration on the server .175 . This is because its not a server it's a special device that controlls a huge Crane
04-26-2007 06:01 AM
Hi
Yes if you initiate the connection from the device it probably won't work.
What you could do that may work is. Instead of natting the router IP 172.24.16.5 to the inside pix interface you could NAT it to spare 10.10.10.x address. This address needs to be in the same subnet as your .175 server.
So say 10.10.10.182 is spare.
nat (outside) 1 172.24.16.5 255.255.255.255 outside
global (inside) 1 10.10.10.182
If the address is in the same subnet as the pix internal interface then the pix should respond to the arp from your .175 server.
So from the .175 server you need to ping 10.10.10.182.
It might not work but it would be worth a try.
HTH
Jon
04-26-2007 06:10 AM
Hi
Amendment to previous post.
Use spare IP address 10.10.10.182.
Don't use NAT and global statements, so remove the existing one you setup for this.
Add
static (outside,inside) 10.10.10.182 172.16.24.5 netmask 255.255.255.255
Apologies for this
HTH
Jon
04-26-2007 06:17 AM
Hey Jon, Can you do statics like that in version 6.3(4)?
Emilio
04-26-2007 06:20 AM
Hi Emilio
I have a pix 515E running 6.3(3) and i have a lot of these type of static commands on then so i can't see why 6.3(4) wouldn't work.
HTH
Jon
04-26-2007 06:34 AM
Just asking because version 6.3 and version 7 change the way of you can create statics and NATs. If you have in use must work then.
Emilio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide