Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Ping outside interface of Pix from internet

I am testing a Pix prior to configuring IPSEC settings on the outside interface. The folks I am working with need to be able to Ping the outside interface of our Pix. I cannot figure out what I am missing that will not allow me to ping the outside interface from the internet.

I can ping the outside interface of the Pix from my router which is connected to the Outside interface of the PIX and I can ping both the outside and inside address of my router. The inside address of the router is in the same ip address set and subnet as the outside interface of the Pix.

Any help would be appriciated.

7 REPLIES
New Member

Re: Ping outside interface of Pix from internet

Can you ping the inside of your router from the internet? Clear arp on both router and pix. Are you doing a static NAT translation for the pix on the router?

Can you post your config?

Kurtis Durrett

New Member

Re: Ping outside interface of Pix from internet

Yes I can ping both the inside and outside of the router. And I can ping the outside interface of the pix from the router. I just cannot ping the outside interface of the pix from the internet.

Cisco Employee

Re: Ping outside interface of Pix from internet

Sounds like you don't have a default route set up on the PIX. Do you have a:

> route outside 0.0.0.0 0.0.0.0 x.x.x.x

line in your configuration somewhere, where x.x.x.x is the interface on your outside router that the PIX connects to?

New Member

Re: Ping outside interface of Pix from internet

I have a route that is setup by the Pix 66.45.121.0 255.255.255.0 66.45.121.1

The 66.45.121.1 would be the outside interface of the Pix.

I have 3 more active interfaces on the PIX the outside one is not my default path to the internet for my other users.

The outside interface on the PIX is being setup as special connection for a specific application.

So instead of a default route of 0.0.0.0 0.0.0.0 I will have to place route statements for each network with the interface of the router as the gateway?

I know the Config might help but I do not have a current config file with me.

Cisco Employee

Re: Ping outside interface of Pix from internet

Even if your outside interface isn't truly your connection to the Internet, you still need a default route pointing out whatever interface does connect. So let's say your "dmz" interface connects to the Internet, then just add:

> route dmz 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is the IP address of the router that connects to the PIX's DMZ interface.

In short, you have to tell the PIX how to get to the rest of the world, it can only route packets that it knows how to get to, if it doesn't have a route then it can't forward them on.

New Member

Re: Ping outside interface of Pix from internet

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I have a default route and everyone can get out to the internet, and it is pointing to the router that connects the users to the internet.

I have pasted an older confiig that should be an older version of the one currently on the pix.

Take a look and see what needs fixing. This is my first time to deal with so many interfaces.

The IPs are not the real IPAddress to the networks but they will fit as an example.

Version 6.2(2)

nameif ethernet0 net security50

nameif ethernet1 dmz1sher security85

nameif ethernet2 dmz2tx security65

nameif ethernet3 outside security0

nameif ethernet4 dmz3live security95

nameif ethernet5 intf5 security25

enable ** moderator edit **

passwd ** moderator edit **

hostname ** moderator edit **

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_out permit icmp any any

access-list acl_out permit tcp any any

access-list acl_out permit tcp any host 192.168.0.3

access-list acl_in permit tcp any any

access-list acl_in permit icmp any any

access-list 101 permit ip nnn.nn.nn.0 255.255.255.240 yyy.yy.yy.0 255.255.255.0

access-list 101 permit ip nnn.nn.nn.0 255.255.255.240 nnn.nn.nn.240 255.255.255.248

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu net 1500

mtu dmz1sher 1500

mtu dmz2tx 1500

mtu outside 1500

mtu dmz3live 1500

mtu intf5 1500

ip address net 192.168.0.1 255.255.255.128

ip address dmz1sher 10.120.30.2 255.255.254.0

ip address dmz2tx 172.16.0.1 255.255.240.0

ip address outside nnn.nn.nn.2 255.255.255.240

ip address dmz3live 10.0.8.1 255.255.255.240

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action ** moderator edit **

ip audit attack action ** moderator edit **

no failover

failover timeout 0:00:00

failover poll 15

failover ip address net 0.0.0.0

failover ip address dmz1sher 0.0.0.0

failover ip address dmz2tx 0.0.0.0

failover ip address outside 0.0.0.0

failover ip address dmz3live 0.0.0.0

failover ip address intf5 0.0.0.0

pdm history enable

arp timeout 14400

global (net) 1 interface

global (dmz1sher) 1 interface

nat (dmz1sher) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz2tx) 1 0.0.0.0 0.0.0.0 0 0

nat (outside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz3live) 0 access-list 101

nat (dmz3live) 1 0.0.0.0 0.0.0.0 0 0

static (dmz1sher,net) 192.168.0.3 10.120.30.4 netmask 255.255.255.255 0 0

access-group acl_out in interface net

route net 0.0.0.0 0.0.0.0 192.168.0.2 1

route outside nnn.nn.0.0 255.255.255.0 nnn.nn.nn.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community ** moderator edit **

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum: ** moderator edit **

ig that should be an older version of the one currently on the pix.

Take a look and see what needs fixing. This is my first time to deal with so many interfaces.

New Member

Re: Ping outside interface of Pix from internet

Hi,

The default route is necessary because if you lack of it, the traffic do not know how to return to one that ping the outside interface of the PIX from the outside interface of your PIX.

Best Regards

Teru Lei

153
Views
0
Helpful
7
Replies
CreatePlease to create content