https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670345#M496951 <HTML><HEAD></HEAD><BODY><P>I think I already have everything it shows...</P><P></P><P>access-list dmz1_in permit ip host helix-local any </P><P>access-list dmz1_in permit ip 192.168.140.0 255.255.255.0 host helix-local </P><P>access-list dmz1_in permit icmp any any </P><P>access-list outside_in permit icmp any any </P><P>icmp permit any outside </P><P>icmp permit any inside </P><P>icmp permit any dmz1 </P><P>ip address outside 1.1.1.2 255.255.255.224 </P><P>ip address inside 192.168.140.3 255.255.255.0 </P><P>ip address dmz1 10.10.240.2 255.255.255.0</P><P>global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.224 </P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P>static (dmz1,outside) helix-internet helix-local netmask 255.255.255.255 0 0 </P><P>static (dmz1,inside) 10.10.240.0 10.10.240.0 netmask 255.255.255.0 0 0 </P><P>static (inside,dmz1) 192.168.140.0 192.168.140.0 netmask 255.255.255.0 0 0 </P><P>access-group dmz1_in in interface dmz1 </P><P>access-group outside_in in interface outside </P><P>route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 </P><P></P></BODY></HTML> Fri, 27 Oct 2006 12:26:59 GMT cybrsage 2006-10-27T12:26:59Z https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670343#M496949 <P>I can ping the local interface, but not the other two interfaces (Inside cannot ping DMZ, etc). Machines in each respective area cannot ping machines in any other area either.</P><P></P><P>Here is my config, any help would be appreciated (config has non-relevant items removes):</P><P></P><P>PIX Version 6.3(5)</P><P>interface ethernet0 100full</P><P>interface ethernet1 100full</P><P>interface ethernet2 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>nameif ethernet2 dmz1 security10</P><P>(standard fixup lines)</P><P>names</P><P>name 10.10.240.10 helix-local</P><P>name 1.1.1.5 helix-internet</P><P>access-list dmz1_in permit ip host helix-local any </P><P>access-list dmz1_in permit ip 192.168.140.0 255.255.255.0 host helix-local </P><P>access-list dmz1_in permit icmp any any</P><P>access-list outside_in permit icmp any any </P><P>icmp permit any outside</P><P>icmp permit any inside</P><P>icmp permit any dmz1</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu dmz1 1500</P><P>ip address outside 1.1.1.2 255.255.255.224</P><P>ip address inside 192.168.140.3 255.255.255.0</P><P>ip address dmz1 10.10.240.2 255.255.255.0</P><P>failover timeout 0:00:00</P><P>failover poll 7</P><P>failover ip address outside 1.1.41.3</P><P>failover ip address inside 192.168.140.4</P><P>failover ip address dmz1 10.10.240.3</P><P>failover link inside</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.224</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (dmz1,outside) helix-internet helix-local netmask 255.255.255.255 0 0 </P><P>static (dmz1,inside) 10.10.240.0 10.10.240.0 netmask 255.255.255.0 0 0 </P><P>static (inside,dmz1) 192.168.140.0 192.168.140.0 netmask 255.255.255.0 0 0 </P><P>access-group dmz1_in in interface dmz1</P><P>access-group outside_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 1.1.1.1 1</P><P>(timeouts, etc)</P><P>floodguard enable</P><P>telnet 192.168.140.0 255.255.255.0 inside</P><P>telnet 192.168.140.0 255.255.255.0 dmz1</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P></P><P></P><P>Points are always given to those who help <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 21 Feb 2020 09:16:13 GMT https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670343#M496949 cybrsage 2020-02-21T09:16:13Z https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670344#M496950 <HTML><HEAD></HEAD><BODY><P>Take a look here:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/31.html" target="_blank">http://www.cisco.com/warp/public/110/31.html</A></P><P></P><P>Hope this helps</P></BODY></HTML> Fri, 27 Oct 2006 11:38:45 GMT https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670344#M496950 jmia 2006-10-27T11:38:45Z https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670345#M496951 <HTML><HEAD></HEAD><BODY><P>I think I already have everything it shows...</P><P></P><P>access-list dmz1_in permit ip host helix-local any </P><P>access-list dmz1_in permit ip 192.168.140.0 255.255.255.0 host helix-local </P><P>access-list dmz1_in permit icmp any any </P><P>access-list outside_in permit icmp any any </P><P>icmp permit any outside </P><P>icmp permit any inside </P><P>icmp permit any dmz1 </P><P>ip address outside 1.1.1.2 255.255.255.224 </P><P>ip address inside 192.168.140.3 255.255.255.0 </P><P>ip address dmz1 10.10.240.2 255.255.255.0</P><P>global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.224 </P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P>static (dmz1,outside) helix-internet helix-local netmask 255.255.255.255 0 0 </P><P>static (dmz1,inside) 10.10.240.0 10.10.240.0 netmask 255.255.255.0 0 0 </P><P>static (inside,dmz1) 192.168.140.0 192.168.140.0 netmask 255.255.255.0 0 0 </P><P>access-group dmz1_in in interface dmz1 </P><P>access-group outside_in in interface outside </P><P>route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 </P><P></P></BODY></HTML> Fri, 27 Oct 2006 12:26:59 GMT https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670345#M496951 cybrsage 2006-10-27T12:26:59Z https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670346#M496952 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>According to this config you should be able to ping hosts on the DMZ and the internet from the inside. But for some reason, you will never be able be able the DMZ or outside interface of pix from the inside. or the other way round.</P></BODY></HTML> Fri, 27 Oct 2006 13:22:43 GMT https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670346#M496952 rkazmierczak 2006-10-27T13:22:43Z https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670347#M496953 <HTML><HEAD></HEAD><BODY><P>You cannot ping from the inside the PIX interface on the DMZ, the PIX does not allow that. </P><P></P><P>1.) You can ping, if you have configured the ICMP command, from the inside host the inside interface. Or from the DMZ the dmz interface.</P><P></P><P>2.) If you have configured the access-list correctly then you can ping a host on the DMZ from the inside host.</P><P></P><P>3.) You should be able to ping everything from the PIX itself.</P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Fri, 27 Oct 2006 14:05:50 GMT https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670347#M496953 Patrick Iseli 2006-10-27T14:05:50Z https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670348#M496954 <HTML><HEAD></HEAD><BODY><P>Yet it does not.</P><P></P><P>When I ping from the Inside to the DMZ, the ping trace shows the requests and translation happening but does not show any replies.</P><P></P><P>When I ping from the DMZ to the Inside, the ping trace shows requests, translations, and replies, but the PC shows no reply (100% failure).</P></BODY></HTML> Fri, 27 Oct 2006 14:42:55 GMT https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670348#M496954 cybrsage 2006-10-27T14:42:55Z https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670349#M496955 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>First make sure that the hosts definately respond to pings (ping them from the local lan).</P><P></P><P>If they do, there is only one explanation: a slight pix mulfunction, so to say. I had a simmilar problem once. I configured everything correctly but still it didn't work. After a reboot it worked fine. but it did start to work. From what you are saying it doesn't work for a longer time and that is strange <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P><P></P><P>Try to remove and reapply the ACL, reboot etc.</P><P></P><P>In software 7.0 and higher you can enable icmp inspection which would allow to pings to come back event without the access-list.</P><P></P><P>Good luck</P><P></P><P>rafal</P></BODY></HTML> Sat, 28 Oct 2006 07:41:25 GMT https://community.cisco.com/t5/network-security/cannot-ping-interfaces-on-pix/m-p/670349#M496955 rkazmierczak 2006-10-28T07:41:25Z