cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
0
Helpful
4
Replies

Issue with pinging through a PIX 515E

BrianInPhx
Level 1
Level 1

Setup:

Server running SNMP software 10.1.50.126

Inside PIX:

ETH0: 10.1.100.51

ETH1: 172.168.16.2

Outside PIX:

ETH0: Public IP

ETH1:172.168.16.1

The PIX's 172 address are connected to a Cisco 2950 so we can host a couple of servers in our DMZ.  Both PIX's are running version 7.2(3)

I setup SNMP on the 2 PIX's which seems to work except that the SNMP Server can not ping the outside PIX(172 address) so it is showing as down.  I can pull the configs from the outside PIX so I know I have connection to it.

I know the Inside PIX can ping the Outside PIX(172 address) so I know it will respond to ICMP traffic.  I am assuming the issue is that the Inside PIX is blocking or dropping the ICMP traffic from the SNMP server that is meant for the Outside PIX.

Any help would be appreciated.

1 Accepted Solution

Accepted Solutions

Hello,

Thanks for the reply.  Based on the info, the issue should be resolved if you enable ICMP inspection (fixup protocol icmp).

By default, the PIX will not allow ICMP echo replies to pass through the device.  You can either allow it via inspection (where the firewall will inspect the outgoing request and allow the reply to come back through), or you can explicitly allow it via ACL on the outside interface (access-list OUTSIDE_IN permit icmp any any).

Hope this helps!

View solution in original post

4 Replies 4

Allen P Chen
Level 5
Level 5

Is NAT configured on the inside PIX?  If NAT is not configured, is there a route on the outside PIX for the 10.1.50.0 segment pointing to 172.168.16.2?

Is ICMP inspection enabled on the inside PIX (fixup protocol icmp)?

Can the SNMP server at 10.1.50.126 ping other hosts on the 172.168.16.0 segment?  It was mentioned there were going to be a couple of servers in that segment, can the SNMP server ping those DMZ servers?

NAT is not configured.

I have not ran the "fixup protocal icmp" command.

My SNMP server cannot ping the servers in the DMZ but it can RDP and access web/email functions.

The oustide PIX ETH1 interface will respond to pings from the DMZ servers as well as the inside PIX.

Thanks

Brian

Edit*

There is a route statement on the Outside PIX sending all 10.0.0.0 traffic to 172.168.16.2

Hello,

Thanks for the reply.  Based on the info, the issue should be resolved if you enable ICMP inspection (fixup protocol icmp).

By default, the PIX will not allow ICMP echo replies to pass through the device.  You can either allow it via inspection (where the firewall will inspect the outgoing request and allow the reply to come back through), or you can explicitly allow it via ACL on the outside interface (access-list OUTSIDE_IN permit icmp any any).

Hope this helps!

Thanks for the Help.

The "fixup protocol icmp" did not seem to work for me or at least not on its own.

I added the following firewall rules after trying the fixup protocal icmp command and it is now working for me.

access-list acl-in permit icmp host 10.1.50.126 host 172.168.16.1

access-list acl-out permit icmp host 172.168.16.1 host 10.1.50 126

Thanks a bunch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: