cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4312
Views
0
Helpful
10
Replies

unable to ping outside interface

hyundai_mum
Level 1
Level 1

Hi,

my inside interface user can't ping outside interface even after i have configured acl which allow ping and also icmp response, configured icmp inspection also.find below configuration of pix 515E which is running ios version 8.0(3)

PIX Version 8.0(3)

!

hostname FWALL

enable password f1/B5iV9rJ.dvsDE encrypted

names

dns-guard

!

interface Ethernet0

description P2P link

speed 100

duplex full

nameif outside1

security-level 0

ip address 24.0.0.2 255.255.255.0

!

interface Ethernet1

description LAN interface

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.11 255.255.255.0

!

interface Ethernet2

description Internet Gateway

speed 100

duplex full

nameif outside2

security-level 0

ip address 25.0.0.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix803.bin

ftp mode passive

clock timezone IST 5 30

same-security-traffic permit inter-interface

!

access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0

access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

logging host inside 192.168.10.11

mtu outside1 1500

mtu inside 1500

mtu outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

access-group icmpacl in interface outside1

access-group acl_inside in interface inside

route outside1 0.0.0.0 0.0.0.0 24.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.23.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map icmp-class

match access-list icmpacl

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

class icmp-class

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d1afb781f4e40a7c4f8963cd853f94d9

: end

FWALL#

omitted unnecessary config,not using interface ethernet2.

thanks

Hasmukh

1 Accepted Solution

Accepted Solutions

Hi,

The ''clear xlate'' command is to clear the translation table on the PIX/ASA.

If you're modifying the NAT configuration somehow, you should refresh the dynamic NAT table with the ''clear xlate'' command.

Alternative if you don't want to refresh the entire table you can clear specific IPs from the table with the ''clear xlate local x.x.x.x'' command.

The ''inspect icmp'' command is needed for the ASA to keep track of the ICMP connection and therefore allow the PING echo-reply back.

The ASA by default inspects only TCP and UDP traffic to allow the return packets.

To be able to inspect ICMP as well you need the command ''inspect icmp''

Federico.

View solution in original post

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

You won't be able to ping the outside interface ip address of the PIX from internal LAN as it is not supported.

From internal LAN, you can only ping the PIX inside interface, as well as ping through the PIX, ie: you can ping the next hop ip address from the outside interface (24.0.0.1).

With PIX/ASA, you can only ping the directly connected interface, ie: from internal LAN, you can only ping the inside interface, and from outside, you can only ping the outside interface.

Hope that helps.

Hi Halijenn,

thanks for help,my problem is "i can't ping through pix" but the same network i can reach if i ping form outside interface, my topology is as below.

LAN                                24.0.0.0/24                      23.0.0.0/24                             172.23.15.0/24

----------FIREWALL---------------------ROUTER 1-----------------------ROUTER 2-------------------AT&T ROUTER(no access on this router)

                               .2                       .1              .1                                .2            .13     LAN      .254

i don't find any problem with access-list, could u tell me is their anything i can do so i can ping through firewall, i can ping router2's 172.23.15.13 ip address from outside interface of pix but not from inside interface.

Let me put it like this.

ASA can only "talk" with destinations/sources that is on the interface closer to that said source/destination.

You cannot talk from/to inside ineterface with a destination which is available from the outside interface.

Hi Latosiewicz,

yes i can't talk any destination from inside interface which i can talk from outside interface, so the problem is my LAN users can't reach any destination.

any suggestions

thanks

Is it your LAN users or the ASA itself having problems accessing those hosts?

Show us some logging, informational level would be a start.

You would need to add NAT as well:

nat (inside) 1 192.168.10.0 255.255.255.0

global (outside1) 1 interface

Hope that helps.

Hi halijenn,

i configured suggested nat config but still same problem, find below show run output to help u understand where i am wrong.

FW-HyundaiHMM# show run
: Saved
:
PIX Version 8.0(3)
!
hostname FW-HyundaiHMM
enable password *************** encrypted
names
dns-guard
!
interface Ethernet0
description P2P link
speed 100
duplex full
nameif outside1
security-level 0
ip address 24.0.0.2 255.255.255.0
!
interface Ethernet1
description LAN interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.11 255.255.255.0
!
interface Ethernet2
description Internet Gateway
speed 100
duplex full
nameif outside2
security-level 0
ip address 25.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix803.bin
ftp mode passive
clock timezone IST 5 30
same-security-traffic permit inter-interface
access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0
access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
logging host inside 172.23.15.33
mtu outside1 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
access-group icmpacl in interface outside1
access-group acl_inside in interface inside
route outside1 0.0.0.0 0.0.0.0 24.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.23.15.0 255.255.255.0 outside1
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map icmp-class
match access-list icmpacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
class icmp-class
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4269272b4e0cc053d147f503f9655065
: end
FW-HyundaiHMM#

thanks for all yr help

Did you perform "clear xlate" after adding the nat/global statements? if not, please perform "clear xlate".

Then you might also want to add icmp inspection globally:

policy-map global_policy
class inspection_default
  inspect icmp

Please try to ping the following from inside host and advise if it's successfull:


ping 24.0.0.1
ping 23.0.0.1

Hi halijenn,

it was great help,thanks u very much............................................................

it did't understand two things, why do i need to run clear xlate cmd and why we have to inspect icmp.

thanks

Hasmukh

Hi,

The ''clear xlate'' command is to clear the translation table on the PIX/ASA.

If you're modifying the NAT configuration somehow, you should refresh the dynamic NAT table with the ''clear xlate'' command.

Alternative if you don't want to refresh the entire table you can clear specific IPs from the table with the ''clear xlate local x.x.x.x'' command.

The ''inspect icmp'' command is needed for the ASA to keep track of the ICMP connection and therefore allow the PING echo-reply back.

The ASA by default inspects only TCP and UDP traffic to allow the return packets.

To be able to inspect ICMP as well you need the command ''inspect icmp''

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: