Solved: Re: Ping inside from outside

patchack39 · ‎03-04-2014

Hi everyone,

It should be an easy question for you i think.

I have actually Cisco PIX 501 , and i want for an experience to ping inside from outside ( i only succeed to ping outside from inside untill now ).

My ACL are only :

access-list 1 permit icmp any any

access-group 1 in interface outside.

With that i can ping outside from inside , but if i try to ping inside from outside : Destination Host Unreachable

I can ping with an outside computer ---> outside interface of the pix but cant do more.

I tried several ACL but cant find the one who help me...

By the way,i've tried aswell with the command " icmp permit ...." , but there is not difference.

Thanks a lot

Jon Marshall · ‎03-04-2014

Try adding this to your config -

static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255

the reason you can ping from inside to outside is that your nat/global commands dynamically build a NAT translation so it is there for the return traffic.

However when you ping from outside there is no NAT translation for the inside host. And for outside to inside you need a static NAT command.

Jon

View solution in original post

Julio Carvajal · ‎03-04-2014

Hello,

Can you add the command

fixup protocol icmp

and then give it a try

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

patchack39 · ‎03-04-2014

I will try in few moment but if i remember good , i already try this command.

And tell me thats not correct syntax, and thats the correct :

[no] fixup protocol icmp error

Then i thought that command dont exist for my firewall so i didnt search anymore.

I will retry asap but im almost sure.

Julio Carvajal · ‎03-04-2014

Hello,

Yeah, based on the version I do not think that command is even there,

Please share with us the configuration and then I will might ask you to take some captures based on what I can get from the config

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

patchack39 · ‎03-04-2014

I've 0 configuration on this pix , im just doing some experience on this.

But my config is :

pixfirewall(config)# show run config

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 1 permit icmp any any

access-list 1 permit icmp any any echo-reply

access-list 1 permit icmp any any unreachable

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.128.20.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit name attack1 info action alarm

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 1 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:1ed2970e0c882bdf53218e833593ad0f

As you can see i've tried new ACL but still no change.

I just want to ping my computer who is inside , with my computer who is outside. My network is pretty simple , only:

PC(192.168.1.15) -->Inside(192.168.1.1)--Outside(192.128.20.1)<---PC(192.128.20.15)

Thanks for your help anyway !

Jon Marshall · ‎03-04-2014

Try adding this to your config -

static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255

the reason you can ping from inside to outside is that your nat/global commands dynamically build a NAT translation so it is there for the return traffic.

However when you ping from outside there is no NAT translation for the inside host. And for outside to inside you need a static NAT command.

Jon

patchack39 · ‎03-05-2014

Thanks for your help , but its still not working.

I added your command exactly like that :

static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 but nothing changed .

I really dont know why its not working.

patchack39 · ‎03-05-2014

I succeed !

I took your command and tried every ip possible .

And finally it is working with :

static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255

But i dont really understand how its working , i dont understand why this command work.

This command change nothing because we say : translate 192.128.20.15 into 192.128.20.15, if you can explain to me a bit more what this command is doing and how it is working.

Thanks a lot for your help!

(sorry for my bad english, im french).

Julio Carvajal · ‎03-05-2014

As you can see i've tried new ACL but still no change.

I just want to ping my computer who is inside , with my computer who is outside. My network is pretty simple , only:

That's the breaking point, when you started the discussion you were talking about sending traffic from the Inside to the Outside. Now we are talking about traffic generated to the outside going to the inside.

For that to work as you saw you need 2 things

1) A NAT statement that allows bidirectional traffic such as

-NAT 0 with ACL

-Static NAT

In this case you are using a Static NAT known as Identity NAT

2)

An ACL permitting the traffic.

So bottom line, if traffic from out to in is required a biderectional NAT that allows inbound traffic statement is needed

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

patchack39 · ‎03-05-2014

Sorry that's my bad so.

Im french , that why my english isnt good , sorry!

Thanks a lot for your help, its more clear for me now.

Still my last "problem" is i dont understand what the command static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255 is doing.

What the point of it?

Because if i understand good : this is a command for Static NAT and we say ( if i understand good) : "

translate 192.128.20.15 into 192.128.20.15" so what the point?

Julio Carvajal · ‎03-05-2014

Still my last "problem" is i dont understand what the command static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255 is doing.

Because remember, in order to allow inbound traffic you need a bidirectional NAT (NAT 0 with ACL or Static NAT).

So you are forced to use one of those, as you do not really need to translate the source you use a Static Identity NAT in this case so the destination remains the same at the same time u have the NAT configured,

Is it clear now?

By the way rememember to rate all of the answers u think have been helpful (hopefully all )

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Marshall · ‎03-05-2014

static (inside,outside) 192.128.20.15 192.128.20.15 netmask 255.255.255.255

the above does not make sense because 192.128.20.15 is on the outside.

The original static i gave you should be the one that made it work ie. you need a static entry for the inside address not the outside address.

If you needed static entries for every outside address then how would you do that as you would need statics for every single internet address.

Jon

patchack39 · ‎03-05-2014

Well its not working anymore jon, so you probably right.

I just launch again all my stuff and ping from outside to inside isnt not working...

I will try again and come back if i dont succeed...

thanks you Julio its clear now !

patchack39 · ‎03-05-2014

Well i dont know what its not working...

my config:

pixfirewall(config)# show run config

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 1 permit icmp any any

access-list 1 permit icmp any any echo-reply

access-list 1 permit icmp any any unreachable

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.128.20.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit name attack1 info action alarm

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.1.15 192.168.1.15 netmask 255.255.255.255 0 0

access-group 1 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:7961b8b199d7c04c5ac0c3ca77f83ae3

: end

and my network is still :

PC(192.168.1.15) -->Inside(192.168.1.1)--Outside(192.128.20.1)<---PC(192.128.20.15)

I dont know what to do , i was sure it was working earlier but it seems like i failed somewhere.

Jon Marshall · ‎03-05-2014

The config looks fine.

Can you -

1) make sure the default gateway of the clients is set to the right interface IP

2) can you change the access-list to use a name rather than a number

It shouldn't matter but worth trying

3) before testing can you do a "clear xlate" on your firewall

Don't try pinging from inside before you test from outside as it gives misleading results.

Jon