10-30-2010 02:32 PM - edited 03-11-2019 12:02 PM
Setup:
Server running SNMP software 10.1.50.126
Inside PIX:
ETH0: 10.1.100.51
ETH1: 172.168.16.2
Outside PIX:
ETH0: Public IP
ETH1:172.168.16.1
The PIX's 172 address are connected to a Cisco 2950 so we can host a couple of servers in our DMZ. Both PIX's are running version 7.2(3)
I setup SNMP on the 2 PIX's which seems to work except that the SNMP Server can not ping the outside PIX(172 address) so it is showing as down. I can pull the configs from the outside PIX so I know I have connection to it.
I know the Inside PIX can ping the Outside PIX(172 address) so I know it will respond to ICMP traffic. I am assuming the issue is that the Inside PIX is blocking or dropping the ICMP traffic from the SNMP server that is meant for the Outside PIX.
Any help would be appreciated.
Solved! Go to Solution.
10-30-2010 03:03 PM
Hello,
Thanks for the reply. Based on the info, the issue should be resolved if you enable ICMP inspection (fixup protocol icmp).
By default, the PIX will not allow ICMP echo replies to pass through the device. You can either allow it via inspection (where the firewall will inspect the outgoing request and allow the reply to come back through), or you can explicitly allow it via ACL on the outside interface (access-list OUTSIDE_IN permit icmp any any).
Hope this helps!
10-30-2010 02:43 PM
Is NAT configured on the inside PIX? If NAT is not configured, is there a route on the outside PIX for the 10.1.50.0 segment pointing to 172.168.16.2?
Is ICMP inspection enabled on the inside PIX (fixup protocol icmp)?
Can the SNMP server at 10.1.50.126 ping other hosts on the 172.168.16.0 segment? It was mentioned there were going to be a couple of servers in that segment, can the SNMP server ping those DMZ servers?
10-30-2010 02:59 PM
NAT is not configured.
I have not ran the "fixup protocal icmp" command.
My SNMP server cannot ping the servers in the DMZ but it can RDP and access web/email functions.
The oustide PIX ETH1 interface will respond to pings from the DMZ servers as well as the inside PIX.
Thanks
Brian
Edit*
There is a route statement on the Outside PIX sending all 10.0.0.0 traffic to 172.168.16.2
10-30-2010 03:03 PM
Hello,
Thanks for the reply. Based on the info, the issue should be resolved if you enable ICMP inspection (fixup protocol icmp).
By default, the PIX will not allow ICMP echo replies to pass through the device. You can either allow it via inspection (where the firewall will inspect the outgoing request and allow the reply to come back through), or you can explicitly allow it via ACL on the outside interface (access-list OUTSIDE_IN permit icmp any any).
Hope this helps!
10-30-2010 03:37 PM
Thanks for the Help.
The "fixup protocol icmp" did not seem to work for me or at least not on its own.
I added the following firewall rules after trying the fixup protocal icmp command and it is now working for me.
access-list acl-in permit icmp host 10.1.50.126 host 172.168.16.1
access-list acl-out permit icmp host 172.168.16.1 host 10.1.50 126
Thanks a bunch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: