topic PIX unable to ping outside from inside in Network Security

PIX unable to ping outside from inside

fattore73 — Mon, 11 Mar 2019 21:08:44 GMT

Dear all,

I' d like to have some support for a very-basic PIX firewall configuration.

I 'm dealing with PIX 515 's inside/outside/dmz zones.

Inside hosts can ping inside interface , outside hosts outside interface and so on....

I cannot ping outside interface from inside hosts.

(i.e ping 192.168.02 from 10.10.10.100)

inside network 10.10.10.0/24

outside network 192.168.0.0/24

I think i properly set nat and access lists, and furthermore from icmp trace it seems that translation is perfomed, but echo -reply is missing.

in the attached file you can find the pix configuration and test.

I think that some PIX expert can easily find out the problem

thanks for the support

Mauro

PIX unable to ping outside from inside

varrao — Mon, 08 Aug 2011 07:11:58 GMT

Hi Mauro,

Due to design issues, you would never be able to ping a remote interface on the ASA, this is not possible, although you can ping hosts which are connected to these two interfaces, if you are facing an issue with that, do let me know.

Hope this helps,

Thanks,

Varun

PIX unable to ping outside from inside

fattore73 — Mon, 08 Aug 2011 08:37:57 GMT

Dear Varun, thanks for the reply

I'm not dealing with ASA , but with a Pix515 : i tested that outside interface replies to ping ( from outside hosts) and I've read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping"

That's happen if operator enable icmp any any outside and define an access-lis in this way:

"access-list acl_out permit icmp any any"

and apply to outside interface

"access-group acl_out in interface outside"

I executed the last 2 tasks but ping from inside host (10.10.10.100) to outside interface (192.168.0.2) sistematically fails.

I cannot even ping from inside host ( 10.10.10.100) to an outside host ( 192.168.0.x)

PiX firewall send the echo-request to outside I guess ( because NAT translations occurs) but no echo-reply ever happens.

Re: PIX unable to ping outside from inside

varrao — Mon, 08 Aug 2011 08:45:58 GMT

Hi Mauro,

M sorry, i meant PIX, but it is true for pix as well, you would not be able to ping remote interafce on the firewall.

"I've read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping" "

What this means is if you have two hosts connected to the inside and outside, then it would ping, like:

host1 ----------------------------outside(PIX)inside----------------------------------host2

10.1.1.1 10.1.1.2 20.1.1.2 20.1.1.1

Now you would be able to ping from host2 to host1 but not host2 to outside interface, that is not possible.

For pinging from host2 to host1, you would need the following config:

access-list out_in permit icmp any any

access-group out_in in interface outside

nat (inside) 1 20.1.1.1 255.255.255.255

global (outside) 1 interface

this should work for you.

Hope this helps.

Thanks,

Varun

PIX unable to ping outside from inside

fattore73 — Mon, 08 Aug 2011 09:44:49 GMT

Your drawing is a good idea and useful to undestand the matter. I try to track again your approach :

in my case host2 (20.1.1.1) can ping inside( 20.1.1.2) ........ ok!!

host1(10.1.1.1) can ping outside(10.1.1.2) ........ok!!

I can take for grant that host2 cannot ping outside interface ( from you statement). ...........ok!!!

You finally state that host2 can ping host 1 with the following additional commands:

a)access-list out_in permit icmp any any ---> got it ( access-list acl_out permit icmp any any)...ok!!

b)access-group out_in in interface outside----> got it ( access-group acl_out in interface outside)....ok!!!

c) " nat (inside) 1 20.1.1.1 255.255.255.255" ------> should not be act as my command "nat(inside) 1 0 0 "??

d) global (outside) 1 interface -----> what does it excutes? natting with only-outside interface ip address?

should not be similar to my command "global (outside) 1 192.168.0.10- 192.168.0.62" which instead define a pool of outside addresses for natting?

If these assumptions are true, I would already have nat and global command in my configuration properly set , but I tested that host2 cannot ping host1 up to now.

PIX unable to ping outside from inside

varrao — Mon, 08 Aug 2011 09:59:08 GMT

Hi Mauro,

The nat statements that i gave you were only for reference, you can use any value that you want.

you can either use:

nat (inside) 1 20.1.1.1 255.255.255.255

global (outside) 1 interface

nat(inside) 1 0 0

global (outside) 1 192.168.0.10-192.168.0.62

both are correct.

Now you said that you are not able to ping host2 from host1????

to troubleshoot it, plz take logs and debugs and check where the traffic dropping.

Take captures as well. As per the configuration it should work.

https://supportforums.cisco.com/docs/DOC-1222

Thanks,

Varun

PIX unable to ping outside from inside

fattore73 — Mon, 08 Aug 2011 11:14:59 GMT

Thanks for the hint!

I'll test again with capture switch on . Hope this help to collect more info

regards

Mauro

PIX unable to ping outside from inside

fattore73 — Tue, 09 Aug 2011 08:17:23 GMT

The configuration was correct. host1 can ping host2.

I was only wrongly testing cause i was referencing outside interface, that , as you said never answers to ping.

Thanks for the support!

Mauro

PIX unable to ping outside from inside

varrao — Tue, 09 Aug 2011 08:20:29 GMT

Hi Mauro,

Thats good, I am glad I was able to clear your doubts

Take care