Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP problem

i have a Mon-Server inside my LAN that collect SNMP data from my network .

also it use ping to test the device avilabilty . my senario : i Mon-Server is able to collect SNMP from router behinde PIX ( outside-sahci ) interface but it cannot ping it . given that when i enable icmp debug i am seeing the echo requestes come from Mon-Server through ( inside ) interface then get Natted , then echo-reply back from ( outside-sahci ) but it does not reach the Mon-server .

this my pix conf:

7 REPLIES
New Member

Re: ICMP problem

it appears you have 2 outside interfaces;

"outside" with security0

"outside-sahci" with security10

if the router you are trying to ping is on interface outside-sahci you just need to apply the acl to the interface. You already have the ACL in your config

access-list outside-sahci permit icmp any host Mon-Server echo-reply

apply it like the other 2 you already have applied, to permit the echo-replies...

access-group outside-sahci in interface outside-sahci

tschuss,

Joe

New Member

Re: ICMP problem

Please, apply the following command on the pix:

access-group outside-sahci in interface outside-sahci

Mike

New Member

Re: ICMP problem

Guys ,

still no lock , i cannot ping

New Member

Re: ICMP problem

Could you initiate a clear xlate command on the pix then see if you have ping reply.

Otherwise I'd suggest you to enable a syslog server (set to debug) and post syslogs here for further analysis

New Member

Re: ICMP problem

also clear xlate does not work

this syslog

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:STC-Router dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.255.132.9 to 10.255.128.129 on interface outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:10.1.1.9 dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.1.1.9 to 10.255.128.129 on interface outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 172.30.65.2 to 10.16.60.72 on interface outside"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:10.245.13.30 dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.245.13.30 to 10.255.128.129 on interface outside-sahci"

New Member

Re: ICMP problem

Guys ,

any help

Silver

Re: ICMP problem

From your syslog you appear to be pinging the outside interface of the pix from the inside network. "Deny icmp src outside-sahci"

Sorry but according to cisco it can't be done.

It's strange because I have 2 515e's one with 6.3(4) which this is true and pings don't work. But the other pix has 6.3(1) and it works. Both have the same config. Must be a bug in the earlier version.

See this doc:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

Thanks,

Chad

Please rate if this helps!

159
Views
0
Helpful
7
Replies