ICMP not traveling across Pix 501 or thru VPN

rkocourek · ‎11-11-2005

Although I have allowed ICMP through the Pix, I still can't ping through a VPN tunnel or from inside to outside. Please help.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list 101 permit ip 10.30.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 102 permit tcp host 63.7x.21x.x interface outside eq 3389

access-list 102 permit udp host 63.7x.21x.x interface outside eq 3389

access-list 102 permit tcp any interface outside eq 8080

access-list 102 permit udp any interface outside eq 8080

access-list 102 permit tcp any interface outside eq 8088

access-list 102 permit udp any interface outside eq 8088

access-list 102 permit tcp any interface outside eq ftp

access-list 102 permit tcp any interface outside eq 5900

access-list 102 permit udp any interface outside eq 5900

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any source-quench

pager lines 24

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo inside

icmp permit any echo-reply inside

ip address outside dhcp setroute

ip address inside 10.30.1.1 255.255.255.0

ip local pool bigpool 172.16.1.1-172.16.1.250

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) udp interface 3389 10.30.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 10.30.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 5900 10.30.1.10 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5900 10.30.1.10 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 10.30.1.10 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8088 10.30.1.10 8088 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8080 192.168.1.12 8080 netmask 255.255.255.255 0 0

access-group 102 in interface outside

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ************ address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local bigpool outside

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

management-access inside

console timeout 0

dhcpd address 10.30.1.50-10.30.1.177 inside

dhcpd dns 68.87.66.196 68.87.64.196

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

jackko · ‎11-12-2005

do "debug ic t" on the pix, then kick off a ping from inside host to the internet and/or vpn peer net.

rkocourek · ‎11-12-2005

I got the follow output when pinging cisco.com from a pc connected to the inside interface:

Pix(config)# debug ic t

ICMP trace on

Warning: this may cause problems on busy networks

Pix(config)# 1: ICMP echo-request from inside:10.30.1.51 to 198.133.219.25 ID=51

2 seq=6400 length=40

2: ICMP echo-request: translating inside:10.30.1.51/512 to outside:67.167.93.62/6

3: ICMP echo-request from inside:10.30.1.51 to 198.133.219.25 ID=512 seq=6656 length=40

4: ICMP echo-request: translating inside:10.30.1.51/512 to outside:67.167.93.62/6

5: ICMP echo-request from inside:10.30.1.51 to 198.133.219.25 ID=512 seq=6912 length=40

6: ICMP echo-request: translating inside:10.30.1.51/512 to outside:67.167.93.62/6

7: ICMP echo-request from inside:10.30.1.51 to 198.133.219.25 ID=512 seq=7168 length=40

8: ICMP echo-request: translating inside:10.30.1.51/512 to outside:67.167.93.62/6

jackko · ‎11-12-2005

the output of the debug indicates 1. the pix has received and forwarded the echo request to the outside interface; 2. the ip translation is functioning; 3. the host 198.133.219.25 (cisco.com) doesn't respond to the echo request or the responses are lost somewhere along the path and never arrive at the pix outside interface.

with #3, the reason being even if the pix is blocking the echo responses, the "de ic t" output would still show the reply, but the pix will drop the packets.

however, no doubt that 198.133.219.25 (cisco.com) is pingable from any host but not yours. i can think of two possibilities:

either the routing doesn't work or the isp doesn't allow icmp.

we can eliminate the routing possibility providing all other traffic destined for the internet is working fine. further, we can also eliminate the isp possibility providing you can ping the internet directly on the pix.

rkocourek · ‎11-13-2005

I connected a PC outside the Pix and I can ping external hosts/domains, so my ISP does allow ICMP. I have tried using Pix IOS 6.3(4) without success. You say it might be routing, how is that and how would I fix it?

rkocourek · ‎11-15-2005

I finally figured it out. The trick was to remove the following access-lists:

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any time-exceeded

and replace them with this:

access-list 102 permit icmp any any

jackko · ‎11-15-2005

this is interesting.

those three acls should work as long as the echo request is initiated from the pix inside net.

e.g.

pix# sh access-list inbound

access-list inbound; 13 elements

access-list inbound line 1 permit icmp any any echo-reply (hitcnt=445896)

access-list inbound line 2 permit icmp any any unreachable (hitcnt=2247263)

access-list inbound line 3 permit icmp any any time-exceeded (hitcnt=2163011)

access-list inbound line 4 permit esp any any (hitcnt=18)

access-list inbound line 5 permit tcp any object-group x eq www

access-list inbound line 5 permit tcp any host x eq www (hitcnt=20214)

access-list inbound line 6 permit tcp any object-group a eq ssh

access-list inbound line 6 permit tcp any host x eq ssh (hitcnt=136461)

access-list inbound line 7 permit tcp any object-group x eq smtp

access-list inbound line 7 permit tcp any host x eq smtp (hitcnt=121565)

access-list inbound line 8 permit tcp any object-group x eq www

access-list inbound line 8 permit tcp any host x eq www (hitcnt=3231)

access-list inbound line 9 permit tcp any object-group x eq pop3

access-list inbound line 9 permit tcp any host x eq pop3 (hitcnt=202138)

access-list inbound line 10 permit tcp any object-group x eq https

access-list inbound line 10 permit tcp any host x eq https (hitcnt=98087)

access-list inbound line 11 permit tcp any object-group x eq www

access-list inbound line 11 permit tcp any host x eq www (hitcnt=1736)

access-list inbound line 12 permit tcp any object-group x eq 491

access-list inbound line 12 permit tcp any host x eq 491 (hitcnt=0)

access-list inbound line 13 permit tcp any object-group x eq www

access-list inbound line 13 permit tcp any host x eq www (hitcnt=813)

these codes are copied directly from a production box. the first three lines are identical to what you've got, and the ping works fine. odd.