01-26-2004 11:56 AM - edited 02-20-2020 11:12 PM
Hi..
How can I ping a PIX internal interface from another network?
Actually I can ping the PIX Internal Interface from the same network that .e.g (mask 255.255.0.0)
Pix Int. Interface: 10.100.5.12
My Ip : 10.100.0.75
But at my PIX firewall I have another 5 interfaces that I must ping from my Tivoli Netview server, but I can do it because it's on another network. Also I can reach any host of these networks routed by PIX, so I don't have a routing problem...
I've tried to use the <icmp> command with success.
Thanks in advance
Halan Leno
IT - Staff
Silvio Santos
Brazil
01-26-2004 12:13 PM
Hi,
if you want to ping the internal interface from a network connected to another interface with a lower security level, then you need to create an access-list to allow the icmp traffic:
access-list test permit icmp any any
access-group test in interface
Kind Regards,
Tom
01-27-2004 07:41 AM
Actually, this is not 100% accurate based on my understanding of the original post. The above will work if you need to ping hosts off a lower security interface. However, I believe the original poster is trying to ping the interface itself from a device located off of another interface. If this is the case, you will not be able to do this. This is by design and is part of the PIX ASA (Adaptive Security Algorithm). Packets must ingress on one interface and egress another interface in order to be passed. The PIX will not redirect packets back out the same interface where it was received.
This has caused a number of problems in other cases such as this. So, I *think* this behavior is changing the in the 7.0 release of PIX which is due out the 2nd half of 2004. I would recommend speaking with your local Cisco acct team to be sure. Hope this helps.
Scott
01-27-2004 11:16 AM
Hi..
The access-list that you've suggested already had been configured, by the way this is my PIX configuration...
----------------------------------------------------
This is the access-list configuration:
access-list acl_mdc_inside_access permit icmp any any (interface 1)
access-list acl_mdc_gerencia_access permit icmp any any (interface 2)
access-list acl_mdc_andares_access permit icmp any any (interface 3)
access-list acl_mdc_sbt_access permit icmp any any (interface 4)
access-list acl_mdc_utdcap_access permit icmp any any (interface 5)
access-list acl_mdc_pan_access permit icmp any any (interface 6)
----------------------------------------
This is the access-group configuration:
access-group acl_mdc_inside_access in interface inside
access-group acl_mdc_gerencia_access in interface gerencia
access-group acl_mdc_andares_access in interface andares
access-group acl_mdc_pan_access in interface pan
access-group acl_mdc_sbt_access in interface sbt
----------------------------------------------------
ip address outside 10.127.16.1 255.255.254.0
ip address inside 10.127.24.1 255.255.254.0
ip address gerencia 10.127.8.193 255.255.255.224
ip address andares 10.127.0.1 255.255.254.0
ip address sbt 10.127.8.1 255.255.255.224
ip address utdcap 10.100.6.12 255.255.0.0
ip address pan 10.127.7.65 255.255.255.224
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 gerencia security95
nameif ethernet3 andares security90
nameif ethernet4 sbt security50
nameif ethernet5 utdcap security60
nameif ethernet6 pan security70
nameif ethernet7 failover security35
ip address outside 10.127.16.1 255.255.254.0
ip address inside 10.127.24.1 255.255.254.0
ip address gerencia 10.127.32.1 255.255.254.0
ip address andares 10.127.0.1 255.255.254.0
ip address sbt 10.127.8.1 255.255.255.224
ip address utdcap 10.100.6.12 255.255.0.0
ip address pan 10.127.8.65 255.255.255.224
ip address failover 127.0.0.1 255.255.255.255
e.g: From ip=10.127.33.3, I can't ping the PIX internal interface 10.100.6.12, but it is configured by acces-list: access-list acl_mdc_utdcap_access permit icmp any any (interface 5)
Thanks in advance;
Halan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: