https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196540#M590279 <HTML><HEAD></HEAD><BODY><P>thanks your solution helped me as well</P><P></P><P>Regards</P><P>Nitin Mohan</P></BODY></HTML> Fri, 21 Feb 2014 16:14:35 GMT nitin mohan 2014-02-21T16:14:35Z https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196537#M590276 <P>I have been tasked with the project of configing this PIX. I am new but now just a little about the PIX. </P><P></P><P>I can not ping any machines in the DMZ or from the inside or outside. </P><P></P><P>Please help</P><P></P><P>This is my config </P><P></P><P></P><P>Building configuration...</P><P>: Saved</P><P>:</P><P>PIX Version 6.3(1)</P><P>interface ethernet0 auto</P><P>interface ethernet1 auto</P><P>interface ethernet2 auto</P><P>interface ethernet3 auto</P><P>interface ethernet4 auto</P><P>interface ethernet5 auto shutdown</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>nameif ethernet2 InetDMZ security50</P><P>nameif ethernet3 RASDMZ security45</P><P>nameif ethernet4 ISADMZ security40</P><P>nameif ethernet5 spare security1</P><P>enable password xxxxxxxxxx encrypted</P><P>passwd xxxxxx encrypted</P><P>hostname xxxxxxPix</P><P>domain-name xxxxxxx.com</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>names</P><P>name 10.59.64.70 Exchange</P><P>name 10.59.64.80 SMTP</P><P>name 192.168.12.10 RAS</P><P>object-group service Exchange tcp</P><P> port-object range 5000 5001</P><P> port-object eq www</P><P> port-object eq smtp</P><P> port-object eq 135</P><P>object-group service Deny_out tcp</P><P> port-object range aol aol</P><P> port-object eq 5050</P><P> port-object eq 7320</P><P> port-object eq 3574</P><P> port-object eq 1503</P><P> port-object eq 4443</P><P> port-object eq 6891</P><P> port-object eq 24613</P><P> port-object eq 1863</P><P> port-object eq 1214</P><P> port-object range 6346 6347</P><P> port-object eq netbios-ssn</P><P> port-object eq aol</P><P> port-object eq irc</P><P>object-group service Deny_outudp udp</P><P> port-object range 13324 13325</P><P> port-object eq netbios-ns</P><P>object-group icmp-type icmp</P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.129 eq smtp log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.128 object-group Exchange log </P><P>access-list outside_access_in permit gre any host xxx.xxx.198.70 log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.70 eq pptp log </P><P>access-list outside_access_in permit icmp any host xxx.xxx.198.70 log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.130 eq www log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.130 eq https log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.131 eq www log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.131 eq https log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.132 eq www log </P><P>access-list outside_access_in permit tcp any host xxx.xxx.198.132 eq https log </P><P>access-list outside_access_in permit icmp any host xxx.xxx.198.128 log </P><P>access-list outside_access_in permit icmp any host xxx.xxx.198.129 log </P><P>access-list outside_access_in permit icmp any host xxx.xxx.198.130 log </P><P>access-list outside_access_in permit icmp any host xxx.xxx.198.131 log </P><P>access-list outside_access_in permit icmp any host xxx.xxx.198.132 log </P><P>access-list acl_inside permit ip any any log </P><P>access-list acl_inside permit icmp any any log </P><P>access-list acl_inside permit udp any any log </P><P>access-list RASDMZ_access_in permit icmp any any </P><P>access-list No_NAT permit ip 10.0.0.0 255.0.0.0 10.57.9.0 255.255.255.0 </P><P>pager lines 24</P><P>logging on</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu InetDMZ 1500</P><P>mtu RASDMZ 1500</P><P>mtu ISADMZ 1500</P><P>mtu spare 1500</P><P>ip address outside xxx.xxx.198.252 255.255.255.0</P><P>ip address inside 10.57.3.2 255.255.255.0</P><P>ip address InetDMZ 192.168.10.1 255.255.255.0</P><P>ip address RASDMZ 192.168.12.1 255.255.255.0</P><P>ip address ISADMZ 192.168.11.1 255.255.255.0</P><P>no ip address spare</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>ip audit signature 1000 disable</P><P>ip audit signature 1102 disable</P><P>ip audit signature 2154 disable</P><P>ip audit signature 4050 disable</P><P>ip audit signature 4051 disable</P><P>ip audit signature 6190 disable</P><P>ip local pool pptp 10.57.9.1-10.57.9.254</P><P>no failover</P><P>failover timeout 0:00:00</P><P>failover poll 15</P><P>no failover ip address outside</P><P>no failover ip address inside</P><P>no failover ip address InetDMZ</P><P>no failover ip address RASDMZ</P><P>no failover ip address ISADMZ</P><P>no failover ip address spare</P><P>pdm location 10.0.1.0 255.255.255.0 inside</P><P>pdm location 10.59.64.3 255.255.255.255 inside</P><P>pdm location 10.58.65.9 255.255.255.255 inside</P><P>pdm location 10.59.64.0 255.255.224.0 inside</P><P>pdm location 10.0.0.0 255.0.0.0 inside</P><P>pdm location 0.0.0.0 255.255.255.255 outside</P><P>pdm location 10.0.0.0 255.0.0.0 RASDMZ</P><P>pdm location RAS 255.255.255.255 RASDMZ</P><P>pdm location Exchange 255.255.255.255 inside</P><P>pdm location SMTP 255.255.255.255 inside</P><P>pdm location 192.168.11.10 255.255.255.255 inside</P><P>pdm location 10.57.9.0 255.255.255.0 RASDMZ</P><P>pdm location 192.168.11.11 255.255.255.255 ISADMZ</P><P>pdm location 192.168.11.12 255.255.255.255 ISADMZ</P><P>pdm location 192.168.11.13 255.255.255.255 ISADMZ</P><P>pdm logging errors 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 10 xxx.xxx.198.241</P><P>global (InetDMZ) 10 192.168.10.128-192.168.10.254 netmask 255.255.255.0</P><P>global (RASDMZ) 10 192.168.12.128-192.168.12.254 netmask 255.255.255.0</P><P>global (ISADMZ) 10 192.168.11.128-192.168.11.254 netmask 255.255.255.0</P><P>nat (inside) 0 access-list No_NAT</P><P>nat (InetDMZ) 10 0.0.0.0 0.0.0.0 0 0</P><P>nat (RASDMZ) 10 0.0.0.0 0.0.0.0 0 0</P><P>nat (ISADMZ) 10 0.0.0.0 0.0.0.0 0 0</P><P>static (RASDMZ,outside) xxx.xxx.198.70 RAS netmask 255.255.255.255 0 0 </P><P>static (inside,outside) xxx.xxx.198.129 SMTP netmask 255.255.255.255 0 0 </P><P>static (inside,outside) xxx.xxx.198.128 Exchange netmask 255.255.255.255 0 0 </P><P>static (ISADMZ,outside) xxx.xxx.198.30 192.168.11.11 netmask 255.255.255.255 0 0 </P><P>static (ISADMZ,outside) xxx.xxx.198.31 192.168.11.12 netmask 255.255.255.255 0 0 </P><P>static (ISADMZ,outside) xxx.xxx.198.32 192.168.11.13 netmask 255.255.255.255 0 0 </P><P>access-group outside_access_in in interface outside</P><P>access-group acl_inside in interface inside</P><P>route outside 0.0.0.0 0.0.0.0 xxx.xxx.198.251 1</P><P>route inside 10.0.0.0 255.0.0.0 10.57.3.1 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+ </P><P>aaa-server RADIUS protocol radius </P><P>aaa-server LOCAL protocol local </P><P>aaa authentication enable console LOCAL</P><P>aaa authentication http console LOCAL</P><P>aaa authentication telnet console LOCAL</P><P>http server enable</P><P>http 10.58.65.9 255.255.255.255 inside</P><P>http 10.59.64.0 255.255.224.0 inside</P><P>http 10.0.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>snmp-server contact James Blancke</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-pptp</P><P>telnet 10.58.65.9 255.255.255.255 inside</P><P>telnet 10.59.64.0 255.255.224.0 inside</P><P>telnet 10.0.1.0 255.255.255.0 inside</P><P>telnet timeout 15</P><P>ssh timeout 5</P><P>console timeout 0</P><P>vpdn group PPTP-VPDN-GROUP accept dialin pptp</P><P>vpdn group PPTP-VPDN-GROUP ppp authentication pap</P><P>vpdn group PPTP-VPDN-GROUP ppp authentication chap</P><P>vpdn group PPTP-VPDN-GROUP ppp authentication mschap</P><P>vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto </P><P>vpdn group PPTP-VPDN-GROUP client configuration address local pptp</P><P>vpdn group PPTP-VPDN-GROUP client configuration dns 10.59.64.50 10.56.64.51</P><P>vpdn group PPTP-VPDN-GROUP client configuration wins 10.59.64.50 10.56.64.51</P><P>vpdn group PPTP-VPDN-GROUP pptp echo 60</P><P>vpdn group PPTP-VPDN-GROUP client authentication local</P><P>vpdn username hanscomb password ********* </P><P>vpdn enable outside</P><P>username Hanscomb password xxxxxx encrypted privilege 15</P><P>terminal width 90</P><P></P><P>: end</P><P>[OK]</P> Fri, 21 Feb 2020 06:57:39 GMT https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196537#M590276 jblancke 2020-02-21T06:57:39Z https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196538#M590277 <HTML><HEAD></HEAD><BODY><P>The PIX does not allow ICMP packets similarly to how it handles UDP/TCP packets in between interfaces, you always hav eto specifically allow them in. </P><P><B></B></P><P>access-group RASDMZ_access_in in interface RASDMZ</P><P></P><P>should get you going (for the RASDMZ interface at least)</P></BODY></HTML> Fri, 29 Aug 2003 00:35:05 GMT https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196538#M590277 gfullage 2003-08-29T00:35:05Z https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196539#M590278 <HTML><HEAD></HEAD><BODY><P>You put the any any in the inside interface, should be in the DMZ interface.</P><P></P><P>Try that.</P><P></P><P>-k</P></BODY></HTML> Sat, 30 Aug 2003 19:56:35 GMT https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196539#M590278 koaps 2003-08-30T19:56:35Z https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196540#M590279 <HTML><HEAD></HEAD><BODY><P>thanks your solution helped me as well</P><P></P><P>Regards</P><P>Nitin Mohan</P></BODY></HTML> Fri, 21 Feb 2014 16:14:35 GMT https://community.cisco.com/t5/network-security/pix-help-can-not-ping-dmz-from-inside-or-outside/m-p/196540#M590279 nitin mohan 2014-02-21T16:14:35Z