PPPoE & ICMP

r-lemaster — Mon, 11 Mar 2019 12:08:00 GMT

Cisco PIX Firewall Version 6.3

My PIX was working just fine until I enabled PPPoE. Now that I've enabled PPPoE, I can no longer ping out. Now when I Ping out, I don't get responses back.

I tried disabling ip audit, permit icmp any any, I even tried permit ip any any, and that didn't work.

Here is my outbound ping request:

C:\>ping <A HREF="javascript:newWin('http://www.yahoo.com')">www.yahoo.com</A>

Pinging <A HREF="javascript:newWin('http://www.yahoo-ht3.akadns.net')">www.yahoo-ht3.akadns.net</A> [209.131.36.158] with 32 bytes of data:

Request timed out.

Ping statistics for 209.131.36.158:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Here is the same request from the PIX:

# ping outside 209.131.36.158

209.131.36.158 response received -- 20ms

209.131.36.158 response received -- 10ms

And here is debug on the outside interface. It shows ping replys to the correct interface IP address.

# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

1: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=5478 4 length=40

2: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

3: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=54784 length=40

4: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55040 length=40

5: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

6: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55040 length=40

7: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55296 length=40

8: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

9: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55296 length=40

10: ICMP echo-request from inside:192.168.254.100 to 209.131.36.158 ID=512 seq=55552 length=40

11: ICMP echo-request: translating inside:192.168.254.100/512 to outside:74.2.65.94/5

12: ICMP echo-reply from outside:209.131.36.158 to 74.2.65.94 ID=5 seq=55552 length=40

My ACLs:

access-list PUBLICHOSTS permit icmp any any echo-reply

icmp permit any echo-reply outside

My PPPoE config:

ip address outside pppoe setroute

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [MYPPPOEUSERNAME]

vpdn group pppoex ppp authentication pap

vpdn username [MYPPPOEUSERNAME] password *********

Is there something about PPPoE that could break ICMP replies?

My sanitized config is attached.

Thanks for your time!

Re: PPPoE & ICMP

r-lemaster — Mon, 25 Feb 2008 16:43:44 GMT

It looks like I forgot to apply my ACL to the interface that permitted ICMP in.

After applying the ACL, I can ping out again.

DUH.

topic Re: PPPoE & ICMP in Network Security

PPPoE & ICMP

Re: PPPoE & ICMP