topic Re: unable to ping outside interface in Network Security

unable to ping outside interface

hyundai_mum — Mon, 11 Mar 2019 17:52:43 GMT

Hi,

my inside interface user can't ping outside interface even after i have configured acl which allow ping and also icmp response, configured icmp inspection also.find below configuration of pix 515E which is running ios version 8.0(3)

PIX Version 8.0(3)

hostname FWALL

enable password f1/B5iV9rJ.dvsDE encrypted

names

dns-guard

interface Ethernet0

description P2P link

speed 100

duplex full

nameif outside1

security-level 0

ip address 24.0.0.2 255.255.255.0

interface Ethernet1

description LAN interface

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.11 255.255.255.0

interface Ethernet2

description Internet Gateway

speed 100

duplex full

nameif outside2

security-level 0

ip address 25.0.0.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix803.bin

ftp mode passive

clock timezone IST 5 30

same-security-traffic permit inter-interface

access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0

access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

logging host inside 192.168.10.11

mtu outside1 1500

mtu inside 1500

mtu outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

access-group icmpacl in interface outside1

access-group acl_inside in interface inside

route outside1 0.0.0.0 0.0.0.0 24.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.23.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map icmp-class

match access-list icmpacl

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class icmp-class

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:d1afb781f4e40a7c4f8963cd853f94d9

: end

FWALL#

omitted unnecessary config,not using interface ethernet2.

thanks

Hasmukh

Re: unable to ping outside interface

Jennifer Halim — Mon, 31 May 2010 10:06:25 GMT

You won't be able to ping the outside interface ip address of the PIX from internal LAN as it is not supported.

From internal LAN, you can only ping the PIX inside interface, as well as ping through the PIX, ie: you can ping the next hop ip address from the outside interface (24.0.0.1).

With PIX/ASA, you can only ping the directly connected interface, ie: from internal LAN, you can only ping the inside interface, and from outside, you can only ping the outside interface.

Hope that helps.

Re: unable to ping outside interface

hyundai_mum — Tue, 01 Jun 2010 06:31:46 GMT

Hi Halijenn,

thanks for help,my problem is "i can't ping through pix" but the same network i can reach if i ping form outside interface, my topology is as below.

LAN 24.0.0.0/24 23.0.0.0/24 172.23.15.0/24

----------FIREWALL---------------------ROUTER 1-----------------------ROUTER 2-------------------AT&T ROUTER(no access on this router)

.2 .1 .1 .2 .13 LAN .254

i don't find any problem with access-list, could u tell me is their anything i can do so i can ping through firewall, i can ping router2's 172.23.15.13 ip address from outside interface of pix but not from inside interface.

Re: unable to ping outside interface

Marcin Latosiewicz — Tue, 01 Jun 2010 06:49:31 GMT

Let me put it like this.

ASA can only "talk" with destinations/sources that is on the interface closer to that said source/destination.

You cannot talk from/to inside ineterface with a destination which is available from the outside interface.

Re: unable to ping outside interface

hyundai_mum — Tue, 01 Jun 2010 06:59:37 GMT

Hi Latosiewicz,

yes i can't talk any destination from inside interface which i can talk from outside interface, so the problem is my LAN users can't reach any destination.

any suggestions

thanks

Re: unable to ping outside interface

Marcin Latosiewicz — Tue, 01 Jun 2010 07:05:46 GMT

Is it your LAN users or the ASA itself having problems accessing those hosts?

Show us some logging, informational level would be a start.

Re: unable to ping outside interface

Jennifer Halim — Tue, 01 Jun 2010 08:29:01 GMT

You would need to add NAT as well:

nat (inside) 1 192.168.10.0 255.255.255.0

global (outside1) 1 interface

Hope that helps.

Re: unable to ping outside interface

hyundai_mum — Tue, 01 Jun 2010 12:41:28 GMT

Hi halijenn,

i configured suggested nat config but still same problem, find below show run output to help u understand where i am wrong.

FW-HyundaiHMM# show run

: Saved

:

PIX Version 8.0(3)

!

hostname FW-HyundaiHMM

enable password *************** encrypted

names

dns-guard

!

interface Ethernet0

description P2P link

speed 100

duplex full

nameif outside1

security-level 0

ip address 24.0.0.2 255.255.255.0

!

interface Ethernet1

description LAN interface

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.11 255.255.255.0

!

interface Ethernet2

description Internet Gateway

speed 100

duplex full

nameif outside2

security-level 0

ip address 25.0.0.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix803.bin

ftp mode passive

clock timezone IST 5 30

same-security-traffic permit inter-interface

access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0

access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

logging host inside 172.23.15.33

mtu outside1 1500

mtu inside 1500

mtu outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside1) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

access-group icmpacl in interface outside1

access-group acl_inside in interface inside

route outside1 0.0.0.0 0.0.0.0 24.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.23.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.23.15.0 255.255.255.0 outside1

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map icmp-class

match access-list icmpacl

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class icmp-class

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4269272b4e0cc053d147f503f9655065

: end

FW-HyundaiHMM#

thanks for all yr help

Re: unable to ping outside interface

Jennifer Halim — Tue, 01 Jun 2010 12:49:29 GMT

Did you perform "clear xlate" after adding the nat/global statements? if not, please perform "clear xlate".

Then you might also want to add icmp inspection globally:

policy-map global_policy
class inspection_default
inspect icmp

Please try to ping the following from inside host and advise if it's successfull:

ping 24.0.0.1
ping 23.0.0.1

Re: unable to ping outside interface

hyundai_mum — Tue, 01 Jun 2010 13:34:17 GMT

Hi halijenn,

it was great help,thanks u very much............................................................

it did't understand two things, why do i need to run clear xlate cmd and why we have to inspect icmp.

thanks

Hasmukh

Re: unable to ping outside interface

Federico Coto Fajardo — Tue, 01 Jun 2010 13:49:49 GMT

Hi,

The ''clear xlate'' command is to clear the translation table on the PIX/ASA.

If you're modifying the NAT configuration somehow, you should refresh the dynamic NAT table with the ''clear xlate'' command.

Alternative if you don't want to refresh the entire table you can clear specific IPs from the table with the ''clear xlate local x.x.x.x'' command.

The ''inspect icmp'' command is needed for the ASA to keep track of the ICMP connection and therefore allow the PING echo-reply back.

The ASA by default inspects only TCP and UDP traffic to allow the return packets.

To be able to inspect ICMP as well you need the command ''inspect icmp''

Federico.