Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 506E Allowing ping (ICMP) replies

Lo all,

Having trouble with a PIX 506E 6.3(5), I am trying to get ping and tracert working from clients within my network.

I have added the following lines to my pix config:

!--- Create an access list to allow pings out

access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply

access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded

access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable

access-group ping_acl in interface outside

But still no joy, any ideas would be much appreciated

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Pix 506E Allowing ping (ICMP) replies

Paul

You cannot apply two access-lists to the same interface in the same direction ie.

access-group ping_acl in interface outside

access-group inbound in interface outside

You need to combine your two access-lists ie. ping_acl and inbound into one access-list and apply this to the interface.

At the moment the only access-list applied to your outside interface is the inbound access-list which has no entries for icmp.

HTH

Jon

7 REPLIES
Hall of Fame Super Blue

Re: Pix 506E Allowing ping (ICMP) replies

Hi Paul

I'm a little unclear as to what you are trying to achieve. If you want to allow your clients to ping out why are you applying this access-list on the outside interface ?

What are the source addresses of your clients and what are the destination addresses you want to ping ?

Jon

New Member

Re: Pix 506E Allowing ping (ICMP) replies

Hi Jon,

I am trying to follow:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

I am trying to allow all clients on the internal network to be able to ping / tracert any public IP address.

My clients are on a 10.1.2.x/8 range

Hall of Fame Super Blue

Re: Pix 506E Allowing ping (ICMP) replies

Paul

Okay makes a bit more sense i think.

I'm assuing you are Natting all your inside hosts to 217.34.x.x ?

Do you have an access-list applied to your inside interface ?

Perhaps you could send whole config of pix minus any sensitive information.

Jon

New Member

Re: Pix 506E Allowing ping (ICMP) replies

Hi Jon,

Very new to PIX's so this is my working config for the network that I have managed to piece together:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100full

interface ethernet1 100full

ip address outside 217.34.xxx.xxx 255.255.255.240

ip address inside 10.1.1.1 255.0.0.0

route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

global (outside) 1 interface

static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp

static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http

static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https

!--- Create an access list to allow pings out

access-list ping_acl permit icmp any host 217.34.xxx.xxx echo-reply

access-list ping_acl permit icmp any host 217.34.xxx.xxx time-exceeded

access-list ping_acl permit icmp any host 217.34.xxx.xxx unreachable

access-list inbound permit tcp any host 217.34.xxx.xxx eq ftp

access-list inbound permit tcp any host 217.34.xxx.xxx eq http

access-list inbound permit tcp any host 217.34.xxx.xxx eq https

access-group ping_acl in interface outside

access-group inbound in interface outside

no fixup protocol ftp 21

no fixup protocol dns

!--- Enable logging

logging on

logging trap 4

logging host 10.1.1.3

telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.50.0 255.255.255.0 inside

http server enable

http 10.0.0.0 255.0.0.0 inside

pdm history enable

!--- SSH for use with Putty

aaa authentication ssh console LOCAL

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

!--- Firewall details and passwords

hostname FIREWALL

domain-name C2.local

en pass xxxxxxxxx

pass xxxxxxxxxxx

ip local pool VPN_Pool 192.168.50.1-192.168.50.254

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 101

!--- For Cisco VPN Client

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans

crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn

crypto map VPN_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup C2_xxxxxxxx address-pool VPN_Pool

vpngroup C2_xxxxxxxx idle-time 1800

vpngroup C2_xxxxxxxx password xxxxxxxxxxxx

vpngroup C2_xxxxxxxx wins-server 10.1.1.3

vpngroup C2_xxxxxxxx dns-server 10.1.1.3

vpngroup C2_xxxxxxxx default-domain c2.local

isakmp nat-traversal 20

Hall of Fame Super Blue

Re: Pix 506E Allowing ping (ICMP) replies

Paul

You cannot apply two access-lists to the same interface in the same direction ie.

access-group ping_acl in interface outside

access-group inbound in interface outside

You need to combine your two access-lists ie. ping_acl and inbound into one access-list and apply this to the interface.

At the moment the only access-list applied to your outside interface is the inbound access-list which has no entries for icmp.

HTH

Jon

New Member

Re: Pix 506E Allowing ping (ICMP) replies

You learn something new every day:)

Thanks for that Jon works a treat, thought I was being tidy keeping them apart.

Hall of Fame Super Blue

Re: Pix 506E Allowing ping (ICMP) replies

Paul

Glad to be of help and many thanks for using the rating system.

Jon

1460
Views
0
Helpful
7
Replies
CreatePlease to create content