Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Strange Firewall Issue

I have pix firewall 525 with IOS Version 8.0(3)

I have access-list applied both on inside and outside interface. Everything was working fine but today i m not able to ping firewall outside interface. only directly connected switches are able to ping firewall outside interface.

Firewall is configured for AAA server and authentication is working fine but firewall is not able to ping the AAA server.

ASDM and everything is working, only ping to the box is not working.

I have even allowed icmp any any on inside and outside interface.

Firewall is unable to reach the SNMP server. Server giving error unreachable.

Please see the attachement for configuration of firewall, plus logging at the end.

ASDM showing that the inside to outside traffic is denied by deny rule, though there is no deny rule even at the end of the access-list.

Why it is happening, Please help me out.

6 REPLIES
Community Member

Re: Strange Firewall Issue

I would suggest you to restart the firewall once. 90% problem will get resolved. Did you check whats the output of "show cpu usage", you can check the hit count of both the ACLs for icmp permit any any...

Pls restart and let me know..

regards

Rajesh P

Re: Strange Firewall Issue

do this,

"clear arp"

and

"clear conn"

Community Member

Re: Strange Firewall Issue

DRDC-Srv-525-1(config)# sh cpu usage

CPU utilization for 5 seconds = 6%; 1 minute: 2%; 5 minutes: 1%

icmp hitcount is increasing whenever i try to ping.

i m also getting this error

DRDC-Srv-525-1(config)# %PIX-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

%PIX-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

%PIX-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

%PIX-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

%PIX-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

i have restart the firewall now only console is working, unable to access the device via telnet or ssh.

Community Member

Re: Strange Firewall Issue

why dont you delete the ssh configuration & RSA keys and reconfigure... your loggs say fail to estabilsh ssh session because RSA host key retrieval failed..

regards

Rajesh

Re: Strange Firewall Issue

Hi ..

in regards to "pings" to the firewall's interfaces You need to add

icmp permit any inside

icmp permit any outside

The ICMP entries you have included on the access-list allows pings traversing the firewall and not terminating on its interfaces

I hope it helps .. please rate helpful posts

Re: Strange Firewall Issue

Do the following:

Problem:

%PIX-3-106014: Deny inbound icmp src inside:172.28.36.4 dst inside:172.28.92.254 (type 8, code 0)

%PIX-3-106014: Deny inbound icmp src inside:172.28.36.4 dst inside:172.28.92.254 (type 8, code 0)

%PIX-3-106014: Deny inbound icmp src inside:172.28.36.4 dst inside:172.28.92.254 (type 8, code 0)

%PIX-3-106014: Deny inbound icmp src inside:172.28.36.4 dst inside:172.28.92.254 (type 8, code 0)

Fix:

same-security-traffic permit inter-interface

Problem:

%PIX-4-106023: Deny tcp src outside:172.28.92.226/2088 dst inside:172.28.36.32/23 by access-group "outside_acl" [0x0, 0x0]

%PIX-4-106023: Deny tcp src outside:172.28.92.226/2088 dst inside:172.28.36.32/23 by access-group "outside_acl" [0x0, 0x0]

%PIX-4-106023: Deny tcp src outside:172.28.92.226/2088 dst inside:172.28.36.32/23 by access-group "outside_acl" [0x0, 0x0]

Fix:

object-group service DRDC_server_ports tcp-udp

port-object eq 23

Also check your subnet masks on the firewall interface, ACL, object-group and route statements, it seems you have misconfigured some of them.

Aur bhai, Internet par configs post karnay sai pehlay passwords tou delete kardiya kurrou, khuda kai waastay :)

Regards

Farrukh

254
Views
0
Helpful
6
Replies
CreatePlease to create content