Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Nested Firewalls

I am not able to ping a public IP address of 4.2.2.2 from a device on my network.  Does anyone have Ideas what could be preventing this?

A little about my network:

ISP > Pix 515 > Switch > Pix 501 > Device

Pix 515

outside dhcp setroute

inside(10.100.60.1/16)

Switch

--All Users except pix 501 are connected to it recieve an IP address and are able to ping 4.2.2.2

Pix 501

outside dhcp setroute

inside (172.16.0.1/24)

Pix recieved a 10.100.60.0 /16 address.

Pix is able to ping 10.100.60.1

Pix is NOT ABLE to ping 4.2.2.2

===PING TEST===

DansFW(config)# ping 10.100.60.1

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

DansFW(config)# ping 4.2.2.2

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

===ROUTING INFO===

DansFW(config)# show route

        outside 0.0.0.0 0.0.0.0 10.100.60.1 1 DHCP static

        outside 10.100.0.0 255.255.0.0 10.100.60.23 1 CONNECT static

        inside 172.16.0.0 255.255.255.0 172.16.0.1 1 CONNECT static

=====CONFIG ===

https://gist.github.com/2406839

5 REPLIES
Super Bronze

Re: Nested Firewalls

Hi,

Since you have the PIX501 on the LAN and not directly facing the Internet can you try adding the command and try again.

icmp permit any outside

If you want to be more specific the command format is

icmp permit

- Jouni

New Member

Re: Nested Firewalls

Thanks for the suggestion, but it appears to be the same.

DansFW(config)# icmp permit any outside

DansFW(config)# ping 4.2.2.2

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

DansFW(config)# ping 10.100.60.1

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

Super Bronze

Re: Nested Firewalls

Hi,

Have you enabled "inspect icmp" in the PIX515?

And have you also allowed ICMPs in the PIX515 access-list?

- Jouni

New Member

Re: Nested Firewalls

Its a Pix 501, and it doesnt seem to support the command inspect.  It is however passing data.  I hooked a client up to it and the client is able to browse. Just ping seems to fail. 

Super Bronze

Re: Nested Firewalls

Hi,

I meant the PIX515 at the edge of the network. Aint the PIX501 behind it?

Though now that I think of it I guess you already have the "inspect icmp" rule enabled on the PIX515 if the hosts on its inside can ping the address you mentioned? Aint the users in the same network as PIX501 outside interface?

Have you been checking the logs on the PIX515 to see if theres any echo replies coming from the target IP address?

I'm not totally sure if an old PIX501 has any addiotional configurations needed to allow ICMP when your using its interface to ping something instead of a host behind it.

I think though that theres guides on how to configure the PIX to handle ICMP

Have you tried to attach an access-list on the outside interface of the PIX501 in the direction "in" and allowing ICMP to the outside interface? Or if you have an access-list already configured, add a permit line to it.

- Jouni

422
Views
10
Helpful
5
Replies
CreatePlease to create content