Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ping 501

anyone know why i cannot ping my 501e

i have attached my current config

27 REPLIES
Hall of Fame Super Blue

Re: ping 501

Are you trying to ping the outside interface ?

If so in your config

"icmp permit outside"

Jon

Hall of Fame Super Blue

Re: ping 501

posted twice

Community Member

Re: ping 501

nope still not working and here is the new config

can anyone else ping it?

Hall of Fame Super Blue

Re: ping 501

I can ping your default-gateway ie. 68.213.152.81 but not .84

Can you ping the default-gateway from the pix ?

What does the ouput of a "sh int e0" on your pix show ?

Can you also temporarily remove

"static (inside,outside) 68.213.152.84 10.7.2.13 netmask 255.255.255.255 0 0"

from your config.

Jon

Community Member

Re: ping 501

no i cannot ping the gateway from the pix

yes i can remove that line from the pix give me 2 min!

Hall of Fame Super Blue

Re: ping 501

Sorry, just in case you missed it as i added it into previous post

"sh int e0"

Jon

Community Member

Re: ping 501

AB01-CC-PIX(config)# sh int e0

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0013.6070.a868

IP address 68.213.152.84, subnet mask 255.255.255.248

MTU 1500 bytes, BW 100000 Kbit full duplex

384 packets input, 28890 bytes, 0 no buffer

Received 47 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

6 packets output, 360 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

Hall of Fame Super Blue

Re: ping 501

How is the pix connected to the router - is it via a switch/hub or a crossover cable ?

Do you have access to the router or is this managed by your ISP ?

Jon

Community Member

Re: ping 501

the pic is connected to the dsl model via straight through cable

Hall of Fame Super Blue

Re: ping 501

Just tried telnetting to default-gateway and it let me in. don't worry i logged straight out again - is this your ADSL router ?

Jon

Community Member

Re: ping 501

yes the gateway is the dsl router witch is 81

84 is the pix 501

Hall of Fame Super Blue

Re: ping 501

How are the 2 connected to each other. If it is via a switch then you need to make sure the switch ports are in the same vlan.

Jon

Community Member

Re: ping 501

cable from port 1 of the modem to port 1 on the pix

Hall of Fame Super Blue

Re: ping 501

When you say port 1 on the pix what is it labelled as - it needs to be eth0. Eth1 is the inside interface.

Jon

Community Member

Re: ping 501

yeah its in eth 0

Community Member

Re: ping 501

STILL WANT ME TO TRY TAKING THIS LINE OUT

static (inside,outside) 68.213.152.84 10.7.2.13 netmask 255.255.255.255 0 0

Hall of Fame Super Blue

Re: ping 501

On your pix

debug packet outside src 86.132.8.127

I will then try pinging and you can see if any packets are arriving from me.

Jon

Community Member

Re: ping 501

ok added updated config attached

Hall of Fame Super Blue

Re: ping 501

I just tried pinging you, did you see anything on the pix - i'm assuming you are logged into pix.

For the life of me i cannot remember whether you should be using a crossover cable between the pix and the ADSL router - do you have one or a hub you could connect the pix into and the ADSL router ?

Community Member

Re: ping 501

-- IP --

86.132.8.127 ==> 68.213.152.84

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x52c3 flags = 0x0 frag off=0x0

ttl = 0x6b proto=0x1 chksum = 0xc0d1

-- ICMP --

type = 0x8 code = 0x0 checksum=0xe35a

identifier = 0x200 seq = 0x6801

-- DATA --

00000010: 61 62 63 64 | abcd

00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst

00000030: 75 76 77 61 62 63 64 65 66 67 68 69 00 | uvwabcdefghi.

--------- END OF PACKET ---------

--------- PACKET ---------

-- IP --

86.132.8.127 ==> 68.213.152.84

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x52c4 flags = 0x0 frag off=0x0

ttl = 0x6b proto=0x1 chksum = 0xc0d0

-- ICMP --

type = 0x8 code = 0x0 checksum=0xe25a

identifier = 0x200 seq = 0x6901

-- DATA --

00000010: 61 62 63 64 | abcd

00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst

00000030: 75 76 77 61 62 63 64 65 66 67 68 69 74 | uvwabcdefghit

--------- END OF PACKET ---------

--------- PACKET ---------

-- IP --

86.132.8.127 ==> 68.213.152.84

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x52c5 flags = 0x0 frag off=0x0

ttl = 0x6b proto=0x1 chksum = 0xc0cf

-- ICMP --

type = 0x8 code = 0x0 checksum=0xe15a

identifier = 0x200 seq = 0x6a01

-- DATA --

00000010: 61 62 63 64 | abcd

00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst

00000030: 75 76 77 61 62 63 64 65 66 67 68 69 00 | uvwabcdefghi.

--------- END OF PACKET ---------

--------- PACKET ---------

-- IP --

86.132.8.127 ==> 68.213.152.84

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x52c6 flags = 0x0 frag off=0x0

ttl = 0x6b proto=0x1 chksum = 0xc0ce

-- ICMP --

type = 0x8 code = 0x0 checksum=0xe05a

identifier = 0x200 seq = 0x6b01

-- DATA --

00000010: 61 62 63 64 | abcd

00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst

00000030: 75 76 77 61 62 63 64 65 66 67 68 69 00 | uvwabcdefghi.

--------- END OF PACKET ---------

Hall of Fame Super Blue

Re: ping 501

Okay, well packets are getting to your pix.

add this

debug packet outside dst 86.132.8.127

and remove that static line.

Community Member

Re: ping 501

ok done here is the ew config

Hall of Fame Super Blue

Re: ping 501

Okay, i can ping your pix now. It looks like it was the static (inside,outside) line. When the ping arrived at the outside interface of your pix it was then translated to 10.7.2.13 but you are not allowing ICMP through to your internal network.

Jon

Hall of Fame Super Blue

Re: ping 501

To tidy up

no debug all

sh debug - if there is still a debug line

no debug all

sh debug - etc..

no icmp permit any outside

Jon

Hall of Fame Super Blue

Re: ping 501

Right, i'm off out for a drink :-).

It's not an issue if you want to use the outside interface address to NAT to an internal address but you may want to use port-forwarding eg.

static (inside,outside) tcp interface www 10.7.2.13 www

If you don't specify ports you are not going to be able to ssh to the outside interface for example as it will try and forward it onto the internal address.

Hope this makes sense.

Jon

Community Member

Re: ping 501

ok so what would the line be for me to ssh to the outside interface?

Hall of Fame Super Blue

Re: ping 501

It's more a question of what you want to access on 10.7.2.13.

Without the static (inside,outside) line you should be able to ssh with your current config.

If you add the line back in as it was then you won't be able to ssh to the pix.

So lets say you just want to allow http and telnet to 10.7.2.13

static (inside,outside) tcp interface www 10.7.2.13

static (inside,outside) tcp interface telnet

10.7.2.13 telnet

If you put the above 2 lines in then you will be able to access http and telnet on 10.7.2.13 but you will also be able to ssh to the outside interface and ping it.

By the way, if the "interface" keyword doesn't work just substitute it with 68.213.152.84.

Jon

151
Views
5
Helpful
27
Replies
CreatePlease to create content