Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issue with pinging through a PIX 515E

Setup:

Server running SNMP software 10.1.50.126

Inside PIX:

ETH0: 10.1.100.51

ETH1: 172.168.16.2

Outside PIX:

ETH0: Public IP

ETH1:172.168.16.1

The PIX's 172 address are connected to a Cisco 2950 so we can host a couple of servers in our DMZ.  Both PIX's are running version 7.2(3)

I setup SNMP on the 2 PIX's which seems to work except that the SNMP Server can not ping the outside PIX(172 address) so it is showing as down.  I can pull the configs from the outside PIX so I know I have connection to it.

I know the Inside PIX can ping the Outside PIX(172 address) so I know it will respond to ICMP traffic.  I am assuming the issue is that the Inside PIX is blocking or dropping the ICMP traffic from the SNMP server that is meant for the Outside PIX.

Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Issue with pinging through a PIX 515E

Hello,

Thanks for the reply.  Based on the info, the issue should be resolved if you enable ICMP inspection (fixup protocol icmp).

By default, the PIX will not allow ICMP echo replies to pass through the device.  You can either allow it via inspection (where the firewall will inspect the outgoing request and allow the reply to come back through), or you can explicitly allow it via ACL on the outside interface (access-list OUTSIDE_IN permit icmp any any).

Hope this helps!

4 REPLIES
Cisco Employee

Re: Issue with pinging through a PIX 515E

Is NAT configured on the inside PIX?  If NAT is not configured, is there a route on the outside PIX for the 10.1.50.0 segment pointing to 172.168.16.2?

Is ICMP inspection enabled on the inside PIX (fixup protocol icmp)?

Can the SNMP server at 10.1.50.126 ping other hosts on the 172.168.16.0 segment?  It was mentioned there were going to be a couple of servers in that segment, can the SNMP server ping those DMZ servers?

New Member

Re: Issue with pinging through a PIX 515E

NAT is not configured.

I have not ran the "fixup protocal icmp" command.

My SNMP server cannot ping the servers in the DMZ but it can RDP and access web/email functions.

The oustide PIX ETH1 interface will respond to pings from the DMZ servers as well as the inside PIX.

Thanks

Brian

Edit*

There is a route statement on the Outside PIX sending all 10.0.0.0 traffic to 172.168.16.2

Cisco Employee

Re: Issue with pinging through a PIX 515E

Hello,

Thanks for the reply.  Based on the info, the issue should be resolved if you enable ICMP inspection (fixup protocol icmp).

By default, the PIX will not allow ICMP echo replies to pass through the device.  You can either allow it via inspection (where the firewall will inspect the outgoing request and allow the reply to come back through), or you can explicitly allow it via ACL on the outside interface (access-list OUTSIDE_IN permit icmp any any).

Hope this helps!

New Member

Re: Issue with pinging through a PIX 515E

Thanks for the Help.

The "fixup protocol icmp" did not seem to work for me or at least not on its own.

I added the following firewall rules after trying the fixup protocal icmp command and it is now working for me.

access-list acl-in permit icmp host 10.1.50.126 host 172.168.16.1

access-list acl-out permit icmp host 172.168.16.1 host 10.1.50 126

Thanks a bunch

307
Views
0
Helpful
4
Replies