Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unable to ping externally

Hi,

I am new to Cisco PIX so please excuse me for my very limited knowledge of PIX configuration.

We have an ADSL router performing NAT.

Its internal interface is 192.168.5.1

The ADSL router is connected to the external interface of the PIX 506e (192.168.5.3)

The PIXs internal interface (192.168.6.1) is connected through to the LAN

The PIX can ping externally.

The LAN can ping the PIX internal interface.

The LAN cannot ping the external interface of the PIX or ping externally

Below is the response from trying to ping externally from the LAN and I have placed the config output below it. I can see that the translation is not getting done correctly but I can’t figure out why.

Any ideas?

136: ICMP echo-request from inside:192.168.6.2 to 195.16.220.1 ID=512 seq=33792 length=40

137: ICMP echo-request: translating inside:192.168.6.2 to outside:192.168.6.2

138: ICMP echo-request from inside:192.168.6.2 to 195.16.220.1 ID=512 seq=34048 length=40

139: ICMP echo-request: translating inside:192.168.6.2 to outside:192.168.6.2

140: ICMP echo-request from inside:192.168.6.2 to 195.16.220.1 ID=512 seq=34304 length=40

141: ICMP echo-request: translating inside:192.168.6.2 to outside:192.168.6.2

142: ICMP echo-request from inside:192.168.6.2 to 195.16.220.1 ID=512 seq=34560 length=40

143: ICMP echo-request: translating inside:192.168.6.2 to outside:192.168.6.2

pix1(config)# show conf

: Saved

: Written by fred at 12:41:35.726 GMT Wed Oct 5 2005

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxx encrypted

hostname pix

domain-name ciscopix.com

clock timezone GMT 12

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

<--- More --->

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit icmp any any

pager lines 22

logging on

logging timestamp

logging console critical

logging buffered debugging

logging trap debugging

logging history informational

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.5.3 255.255.255.0

ip address inside 192.168.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.6.21 255.255.255.255 inside

<--- More --->

pdm location 192.168.6.2 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

nat (inside) 0 192.168.6.0 255.255.255.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.5.1 1

timeout xlate 1:00:00

timeout conn 30:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.21 255.255.255.255 inside

<--- More --->

http 192.168.6.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.6.21 c:\tftp

floodguard enable

fragment chain 1 outside

telnet timeout 5

ssh 192.168.6.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

username fred password xxxxxxxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxxx

pix1(config)#

Thanks for your time.

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Unable to ping externally

internet <--> adsl router <--192.168.5.0--> pix <--> 192.168.6.0

assuming the above topology is accurate, a route needs to be added onto the adsl router.

originally, you mentioned that a pc behind the pix can't get any echo response from the internet.

imagine an echo response arrives at the adsl router with destination 192.168.6.0. now, the adsl router will then try to determine the next hop. however, there is no route pointing to the pix for 192.168.6.0. as a result the adsl router will use the default gateway that is the internet, thus the echo response can never be received by the pc hehind the pix.

12 REPLIES
Cisco Employee

Re: Unable to ping externally

Add the following to your config:

fixup protocol icmp

fixup protocol icmp error

The PIX by default doesn't inspect (and open holes for the return traffic) for ICMP, only TCP and UDP packets. By turning on ICMP inspection via the fixup commands the PIX will allow the returning packets back in.

Also note that you will never be able to ping a PIX interface from a host connected to another interface on a PIX. In other words you will never, even with the above commands, be able to ping the outside interface of the PIX from a host on the inside. This is just the way the PIX works. The above commands will allow you to ping THROUGH the PIX though.

New Member

Re: Unable to ping externally

Hi, thanks for that but the 'fixup icmp' command did not run. fixup icmp error did though.

I still cannot ping through the pix though. I'm pretty sure it is a problem with the translation though - based on the line

ICMP echo-request: translating inside:192.168.6.2 to outside:192.168.6.2

Ant further ideas? Thanks for your time. Much appreciated

Gold

Re: Unable to ping externally

there is no nat/pat statement on the pix except "nat (inside) 0 192.168.6.0 255.255.255.0 0 0".

you mentioned that the nat/pat is being performed on the adsl router rather than the pix. so isn't that what you want?

one way to simplify your network is to (only works if adsl is pppoe or static):

1. configure the adsl router into brigde-mode.

2. configure pppoe client on the pix.

3. configure pat on the pix.

in that case, you don't have to play with both pix and adsl router for future development.

New Member

Re: Unable to ping externally

Hi,

Unfortunatly our ISP does not support PPoE so that is not an option. We do have a static IP address assigned, or are you refering to a static route that should be in place on the PIX?

Any further options with the ADSL router preforming NAT?

Thanks

Gold

Re: Unable to ping externally

"Unfortunatly our ISP does not support PPoE so that is not an option. We do have a static IP address assigned, or are you refering to a static route that should be in place on the PIX?

Any further options with the ADSL router preforming NAT?"

it's fine with a static ip. so firstly, configure the adsl router into bridging mode, then configure the public ip on the pix outside interface.

Gold

Re: Unable to ping externally

"Unfortunatly our ISP does not support PPoE so that is not an option. We do have a static IP address assigned, or are you refering to a static route that should be in place on the PIX?

Any further options with the ADSL router preforming NAT?"

it's fine with a static ip. so firstly, configure the adsl router into bridging mode, then configure the public ip on the pix outside interface.

New Member

Re: Unable to ping externally

Here's what I think in '[ ]':

The PIX can ping externally. [of course]

The LAN can ping the PIX internal interface. [of course]

The LAN cannot ping the external interface of the PIX or ping externally [never designed that way]

Here's my recommendation:

Change your 'nat 0' statement to a static statement. Do, 'static (inside, outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0'.

You can skip the above recommendation, it does the same thing as the 'nat 0' statement, however, it should help you in the long run in terms of 'advanced' configuration.

Most importantly, apply an inbound access-list to the 'outside' interface of the firewall to allow your 'echo-reply' traffic back. This is why you are not getting responses.

try this:

access-list acl_outside permit icmp any any echo-reply

access-group acl_outside in interface outside

New Member

Re: Unable to ping externally

Hi,

Your summarization is correct but sorry, that didn't work either.

Still getting

136: ICMP echo-request from inside:192.168.6.2 to 216.239.37.99 ID=512 seq=33792 length=40

137: ICMP echo-request: translating inside:192.168.6.2 to outside:192.168.6.2

from the debug icmp trace when I'm trying to ping from the LAN to the Internet.

If I connect the LAN directly to the ADSL router, it tests fine so that definitely indicates that the problem lies with the PIX.

I'm really just trying to establish connectivity through the PIx before setting up web server access

New Member

Re: Unable to ping externally

Hi Brian,

This might be a stupid observation, but in case you have added the access-list to allow icmp echo-replies back to you clients, only thing missing could be a route back from your adsl router towards your 192.168.6.X network .. is that route in place ?

If the error was on the PIX, you should see an error message there - in the log.

320
Views
0
Helpful
12
Replies