The inside ping answer depends on the device type, which you didn't specify.  Pix and ASA firewalls have never supported inside ping; switches and routers always have.

-- Jim Leinweber, WI State Lab of Hygiene

hi,

thanks for your reply. i really appreaciate it.

i do have a pix. it is a 525 with 8.0.4.

shouldn't i be able to configure it to allow the ping, even if not by default? if there is a device that is connected to the network, whether or not its internal or not i would expect to be able to do that.

how would this be configure?

this is merely a step in troubleshooting a larger problem related to the remote access, in that the connected host i am trying to ping can't see anything on the network at all.

jeff

> ...  shouldn't i be able to configure it to allow the ping ...?

You would think so, but no.  This seems to be peculiar to Cisco firewalls; on every other internet host including Cisco switches and Cisco routers the answer is yes, which is why you are feeling so surprised by the omission.  In a topology of:

         A ---- [outside] {Pix B} [inside] ----- C

The pings that work are:

   A can ping B outside + C

   B itself can ping A + C

   C can ping B inside + A

But, A can't ping the B inside interface, and C can't ping the B outside interface.

-- Jim Leinweber, WI State Lab of Hygiene

ok. the problem that i am having is exactly that. something is wrong.

1) not sure if A can ping b outside. i did not test that. i would assume so since it is connected on a tunnel already

2) A can't ping C, D, E, F or any other letter in the alphabet LOL.

3) C can't ping A, but C can ping CDEF etc, and the B Inside. unsure about B outside. something tells me that doesn't make sense.

4) B outside can ping A but B inside can't ping A

this tells me that there is nothing wrong with the inside network. i can ping inside and outside by the host name right?

i will add my config in a few minutes. the goal is simply to setup the most basic remote access vpn i can to start. prerferrably with 1 force tunnel and one 1 split tunnel acl.

kevin

There are 3 separate issues to disentangle here:

1) what can Pix equipment do? 

A: it' can't respond to pings from the inside of interfaces.

2) what do the ACL's allow? 

A: if you have no ACL's, in the default configuration traffic flow is determined by a combination of the interface security levels and the global inspection policy.  Typically the inside intefrace would be security level 100, the outside 0, the inspection policy would include icmp, and there would be no access-group statements.   In this case inside host C can ping outside host A above, but A will be blocked at the outside interface of the pix.  Note that the ACL's control what is going *through* the Pix; what happens on the interface itself (A -> outside B) is controlled separate, and the details vary between ASA software versions.  In 8.0 it's controlled by global icmp statements.   If you have ACLs and access-group statements assigning them to interfaces what happens is controlled by the ACLs, and the security levels become irrelevant.  That is actually normal.

3) What's in DNS? 

A: if all of the hosts and interfaces are in DNS, you can ping them by name, otherwise you have to do the omitted ones by raw IP address.

-- Jim Leinweber, WI State Lab of Hygiene

hi,

1) you had said "A can ping B outside + C" under pings that work. i had said that i can't do that which means there is a problem right?

2) im ok with the dns principals. assume all pings ar ip pings and not dns pings. the above still fails as A can not ping C

3) the results of the config file below are that any host on the outside interface, can not ping any external ip or internal host. it can however ping the outside interface ip. this would be B outside in your example.

4) attached is the show config output and the lan config diagram. only thing to note about the picture is that the netgear router is out of the mix. its an access point only and the ip of the netgear  is not the inside ip of the cisco switch. the lan architecture is identical aside from that.

show config
: Saved
: Written by enable_15 at 06:25:46.787 UTC Fri Oct 18 2013
!
PIX Version 8.0(4)
!
hostname thcvpn01
domain-name somewhere.net
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name thehoodedcoder.net
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObject
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.1.40-10.1.1.49
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0be52458c95d5dd080d82401982201ee
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#

jeff