03-04-2014 02:09 AM - edited 03-11-2019 08:53 PM
Hi everyone,
It should be an easy question for you i think.
I have actually Cisco PIX 501 , and i want for an experience to ping inside from outside ( i only succeed to ping outside from inside untill now ).
My ACL are only :
access-list 1 permit icmp any any
access-group 1 in interface outside.
With that i can ping outside from inside , but if i try to ping inside from outside : Destination Host Unreachable
I can ping with an outside computer ---> outside interface of the pix but cant do more.
I tried several ACL but cant find the one who help me...
By the way,i've tried aswell with the command " icmp permit ...." , but there is not difference.
Thanks a lot
Solved! Go to Solution.
03-04-2014 11:12 AM
Try adding this to your config -
static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
the reason you can ping from inside to outside is that your nat/global commands dynamically build a NAT translation so it is there for the return traffic.
However when you ping from outside there is no NAT translation for the inside host. And for outside to inside you need a static NAT command.
Jon
03-04-2014 05:01 AM
Hello,
Can you add the command
fixup protocol icmp
and then give it a try
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-04-2014 05:24 AM
I will try in few moment but if i remember good , i already try this command.
And tell me thats not correct syntax, and thats the correct :
[no] fixup protocol icmp error
Then i thought that command dont exist for my firewall so i didnt search anymore.
I will retry asap but im almost sure.
03-04-2014 07:29 AM
Hello,
Yeah, based on the version I do not think that command is even there,
Please share with us the configuration and then I will might ask you to take some captures based on what I can get from the config
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-04-2014 07:57 AM
I've 0 configuration on this pix , im just doing some experience on this.
But my config is :
pixfirewall(config)# show run config
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 1 permit icmp any any
access-list 1 permit icmp any any echo-reply
access-list 1 permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.128.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit name attack1 info action alarm
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 1 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1ed2970e0c882bdf53218e833593ad0f
As you can see i've tried new ACL but still no change.
I just want to ping my computer who is inside , with my computer who is outside. My network is pretty simple , only:
PC(192.168.1.15) -->Inside(192.168.1.1)--Outside(192.128.20.1)<---PC(192.128.20.15)
Thanks for your help anyway !
03-04-2014 11:12 AM
Try adding this to your config -
static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
the reason you can ping from inside to outside is that your nat/global commands dynamically build a NAT translation so it is there for the return traffic.
However when you ping from outside there is no NAT translation for the inside host. And for outside to inside you need a static NAT command.
Jon
03-05-2014 12:42 AM
Thanks for your help , but its still not working.
I added your command exactly like that :
static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 but nothing changed .
I really dont know why its not working.
03-05-2014 01:23 AM
I succeed !
I took your command and tried every ip possible .
And finally it is working with :
static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255
But i dont really understand how its working , i dont understand why this command work.
This command change nothing because we say : translate 192.128.20.15 into 192.128.20.15, if you can explain to me a bit more what this command is doing and how it is working.
Thanks a lot for your help!
(sorry for my bad english, im french).
03-05-2014 04:41 AM
As you can see i've tried new ACL but still no change.
I just want to ping my computer who is inside , with my computer who is outside. My network is pretty simple , only:
That's the breaking point, when you started the discussion you were talking about sending traffic from the Inside to the Outside. Now we are talking about traffic generated to the outside going to the inside.
For that to work as you saw you need 2 things
1) A NAT statement that allows bidirectional traffic such as
-NAT 0 with ACL
-Static NAT
In this case you are using a Static NAT known as Identity NAT
2)
An ACL permitting the traffic.
So bottom line, if traffic from out to in is required a biderectional NAT that allows inbound traffic statement is needed
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-05-2014 05:29 AM
Sorry that's my bad so.
Im french , that why my english isnt good , sorry!
Thanks a lot for your help, its more clear for me now.
Still my last "problem" is i dont understand what the command static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255 is doing.
What the point of it?
Because if i understand good : this is a command for Static NAT and we say ( if i understand good) : "
translate 192.128.20.15 into 192.128.20.15" so what the point?
03-05-2014 05:32 AM
Still my last "problem" is i dont understand what the command static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255 is doing.
Because remember, in order to allow inbound traffic you need a bidirectional NAT (NAT 0 with ACL or Static NAT).
So you are forced to use one of those, as you do not really need to translate the source you use a Static Identity NAT in this case so the destination remains the same at the same time u have the NAT configured,
Is it clear now?
By the way rememember to rate all of the answers u think have been helpful (hopefully all )
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-05-2014 05:41 AM
static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255
the above does not make sense because 192.128.20.15 is on the outside.
The original static i gave you should be the one that made it work ie. you need a static entry for the inside address not the outside address.
If you needed static entries for every outside address then how would you do that as you would need statics for every single internet address.
Jon
03-05-2014 07:09 AM
Well its not working anymore jon, so you probably right.
I just launch again all my stuff and ping from outside to inside isnt not working...
I will try again and come back if i dont succeed...
thanks you Julio its clear now !
03-05-2014 07:18 AM
Well i dont know what its not working...
my config:
pixfirewall(config)# show run config
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 1 permit icmp any any
access-list 1 permit icmp any any echo-reply
access-list 1 permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.128.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit name attack1 info action alarm
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 0 0
access-group 1 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:7961b8b199d7c04c5ac0c3ca77f83ae3
: end
and my network is still :
PC(192.168.1.15) -->Inside(192.168.1.1)--Outside(192.128.20.1)<---PC(192.128.20.15)
I dont know what to do , i was sure it was working earlier but it seems like i failed somewhere.
03-05-2014 07:25 AM
The config looks fine.
Can you -
1) make sure the default gateway of the clients is set to the right interface IP
2) can you change the access-list to use a name rather than a number
It shouldn't matter but worth trying
3) before testing can you do a "clear xlate" on your firewall
Don't try pinging from inside before you test from outside as it gives misleading results.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: