I need to ping a set of remote hosts to determine connectivity. I want to use object-groups to limit the number of commands used. I have the ICMP group set for echo-reply, source-quench, unreachable, and time-exceeded. I also have a network object group set up for the 5 remote hosts to be pinged. However, I am having trouble incorporating these object-groups into the static and Access-list commands in any way that allows the ping set back in the PIX. What could be going wrong?
I'm just not getting the replies, and the network is up. (By the way, would it complicate matters if this was through a VPN tunnel? It is. However, my users are getting their traffic through the tunnel and I can see that it is up and running.)
Yes, I have been finding this out about the static command the hard way. But, I thought (and was taught) that you could substitute object-groups anywhere that the individual service, protocol, or network address could go?
The IP addresses have been changed for security reasons (and are random out of my head.)
What you see below are some command sets that I have tried at various times.
So it looks as though the access-list statement is where I am in error. Please tell me if I am reading this correctly..."access-list 101 permit icmp object-group mydestination any object-group icmp-allowed" translates to "permit icmp from mydestination to icmp-allowed", correct? What is the 'any' in there do? It looks out of place to me, since I have the source and destination in there already. Also, why can't I use Object-grouping in the Static command for network and protocols?
icmp-allowed is the type of icmp to be allowed, e.g. echo-reply etc.
NO, it doesnot translate to this. It translates to
"permit icmp from mydestination to *ANY* but only these icmp-types are allowd."
I dont have answer for why can't we use object-grouping in static. My best guess is that, usually statics are based on IPs to IPs, with some continutity in the IP addresses. so that it can be summarized. If you make Object Group for static you may put discontiguous IP addresses in it. etc.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...