Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Ping Out to In on PIX 501 - Can't seem to make it work

I am trying to allow ICMP coming in from an outside host (192.168.10.100) to ping an inside host (10.10.233.100) through a PIX 501 running v 6.3.5

The outside interface is address 192.168.10.10 and the inside interface is address 10.10.233.10

I have the following configured on the PIX :

access-list out_to_in permit ICMP any any

access-group out_to in interface outside

static (inside, outside) 192.168.10.50 10.10.233.100 netmask 255.255.255.255

When running a Debug ICMP Trace I do see the transalation happening which translates the ping address (192.168.10.50) to the inside host address (10.10.233.100)

All tseems to be working as it should but I do not receive a ping response (echo-reply) on the outside host.

Any thoughts would be greatly appreciated. Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Ping Out to In on PIX 501 - Can't seem to make it work

Okay, time for a bit of debugging :-)

1) debug packet inside src 192.168.10.100

do you see packets leaving the inside interface going to 10.10.233.10 ? If yes

2) debug packet inside dst 192.168.10.100

do you see packets returning from 10.10.233.10 to 192.168.10.100

One other thing - you are ping 192.168.10.50 from 192.168.10.100 ?

Jon

9 REPLIES
Green

Re: Ping Out to In on PIX 501 - Can't seem to make it work

Did you mean "access-group out_to_in in interface outside"?

Community Member

Re: Ping Out to In on PIX 501 - Can't seem to make it work

Yea, man I got some fat fingers

Re: Ping Out to In on PIX 501 - Can't seem to make it work

I don't know if this will make a difference, but do you have an ACL in the inside interface? If so, you can try to allow the connection from the 10.10.233.100 address.

--John

HTH, John *** Please rate all useful posts ***
Community Member

Re: Ping Out to In on PIX 501 - Can't seem to make it work

No Inside ACL so none of that should apply

Hall of Fame Super Blue

Re: Ping Out to In on PIX 501 - Can't seem to make it work

Is 10.10.233.10 directly connected on the inside interface of the pix ?

If not is there a route to point 192.168.10.x network back to the inside interface of the pix so the return traffic gets back to your outside host ?

Jon

Community Member

Re: Ping Out to In on PIX 501 - Can't seem to make it work

Yes directly connected and shows as such in sh route

Re: Ping Out to In on PIX 501 - Can't seem to make it work

After you created your static, did you clear your xlate table? The static won't take effect until that's done.

--John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: Ping Out to In on PIX 501 - Can't seem to make it work

Okay, time for a bit of debugging :-)

1) debug packet inside src 192.168.10.100

do you see packets leaving the inside interface going to 10.10.233.10 ? If yes

2) debug packet inside dst 192.168.10.100

do you see packets returning from 10.10.233.10 to 192.168.10.100

One other thing - you are ping 192.168.10.50 from 192.168.10.100 ?

Jon

Community Member

Re: Ping Out to In on PIX 501 - Can't seem to make it work

All - I tried the same lab test on a different box (PIX 520) using the same parameters (including V 6.3.5) and badda-bing...All working as it should. So now I am left to wonder what the heck is up with the 501. I think I am getting to set back to factory and start over with it and see if that makes any difference. Thanks to all for the great suggestions (especially the debug packet info as I had not used that in the past).

Anyway - suffice to say I have seen strnger things in the past but not today.

210
Views
0
Helpful
9
Replies
CreatePlease to create content