Pinging PIX Internal Interface

hleno · ‎01-26-2004

Hi..

How can I ping a PIX internal interface from another network?

Actually I can ping the PIX Internal Interface from the same network that .e.g (mask 255.255.0.0)

Pix Int. Interface: 10.100.5.12

My Ip : 10.100.0.75

But at my PIX firewall I have another 5 interfaces that I must ping from my Tivoli Netview server, but I can do it because it's on another network. Also I can reach any host of these networks routed by PIX, so I don't have a routing problem...

I've tried to use the <icmp> command with success.

Thanks in advance

Halan Leno

IT - Staff

Silvio Santos

Brazil

tvanginneken · ‎01-26-2004

Hi,

if you want to ping the internal interface from a network connected to another interface with a lower security level, then you need to create an access-list to allow the icmp traffic:

access-list test permit icmp any any

access-group test in interface

Kind Regards,

Tom

scoclayton · ‎01-27-2004

Actually, this is not 100% accurate based on my understanding of the original post. The above will work if you need to ping hosts off a lower security interface. However, I believe the original poster is trying to ping the interface itself from a device located off of another interface. If this is the case, you will not be able to do this. This is by design and is part of the PIX ASA (Adaptive Security Algorithm). Packets must ingress on one interface and egress another interface in order to be passed. The PIX will not redirect packets back out the same interface where it was received.

This has caused a number of problems in other cases such as this. So, I *think* this behavior is changing the in the 7.0 release of PIX which is due out the 2nd half of 2004. I would recommend speaking with your local Cisco acct team to be sure. Hope this helps.

Scott

hleno · ‎01-27-2004

Hi..

The access-list that you've suggested already had been configured, by the way this is my PIX configuration...

----------------------------------------------------

This is the access-list configuration:

access-list acl_mdc_inside_access permit icmp any any (interface 1)

access-list acl_mdc_gerencia_access permit icmp any any (interface 2)

access-list acl_mdc_andares_access permit icmp any any (interface 3)

access-list acl_mdc_sbt_access permit icmp any any (interface 4)

access-list acl_mdc_utdcap_access permit icmp any any (interface 5)

access-list acl_mdc_pan_access permit icmp any any (interface 6)

----------------------------------------

This is the access-group configuration:

access-group acl_mdc_inside_access in interface inside

access-group acl_mdc_gerencia_access in interface gerencia

access-group acl_mdc_andares_access in interface andares

access-group acl_mdc_pan_access in interface pan

access-group acl_mdc_sbt_access in interface sbt

----------------------------------------------------

ip address outside 10.127.16.1 255.255.254.0

ip address inside 10.127.24.1 255.255.254.0

ip address gerencia 10.127.8.193 255.255.255.224

ip address andares 10.127.0.1 255.255.254.0

ip address sbt 10.127.8.1 255.255.255.224

ip address utdcap 10.100.6.12 255.255.0.0

ip address pan 10.127.7.65 255.255.255.224

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 gerencia security95

nameif ethernet3 andares security90

nameif ethernet4 sbt security50

nameif ethernet5 utdcap security60

nameif ethernet6 pan security70

nameif ethernet7 failover security35

ip address outside 10.127.16.1 255.255.254.0

ip address inside 10.127.24.1 255.255.254.0

ip address gerencia 10.127.32.1 255.255.254.0

ip address andares 10.127.0.1 255.255.254.0

ip address sbt 10.127.8.1 255.255.255.224

ip address utdcap 10.100.6.12 255.255.0.0

ip address pan 10.127.8.65 255.255.255.224

ip address failover 127.0.0.1 255.255.255.255

e.g: From ip=10.127.33.3, I can't ping the PIX internal interface 10.100.6.12, but it is configured by acces-list: access-list acl_mdc_utdcap_access permit icmp any any (interface 5)

Thanks in advance;

Halan