cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1067
Views
0
Helpful
5
Replies

Can PING/ASDM/SSH to External IP but not to Internal IP on PIX itself

IT Dept
Level 1
Level 1

We have two networks HQ and Site1 and for some reason we can’t ping the inside IP for Site1 PIX device. We have site-site-VPN set up between the two and everything works fine except we can’t ping the Site1 PIX from internal IP. However, I can ASDM/SSH in from HQ to the external IP of the Site1 PIX.

HQ is using an ASA 5550 (172.1.0.1)

PC from HQ (172.1.64.x)

Site1 is using a PIX-515E (172.2.0.1)

PC from Site1 (172.2.64.x)

Ping from HQ PC to Site1 PC (172.1.64.x to 172.2.64.x) works fine

Ping from Site1 PC to HQ PC (172.2.64.x to 172.1.64.x) works fine

Ping from HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work

Ping from HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine

ASDM/SSH from any HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work

ASDM/SSH from any HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine

Everything was working fine until we recently changed the outside IP address for Site1 because we switch to a different ISP. Nothing changed on the HQ ASA or Site1 PIX other than the outside IP address on Site1 PIX. I did rebuild the site-to-site VPN tunnel between Site1 and HQ.

Thanks first in advance for any ideas/suggestions.

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Do you have the command: management-access inside configured on the PIX?

Jennifer, Thank you for your reply. Yes, I do have management-access inside configured on the PIX.

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

Any other suggestions?

Julio Carvajal
VIP Alumni
VIP Alumni

Hello IT Dept,

What version are you running on the Pix??

Can you add the following just in case you are running a modern version

management-access inside

Any other question..Sure..Remember to rate all of my answers,.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks Julio for your reply. We are currently running PIX Version 8.0 (3) and yes we do have management-access inside configured.

Cisco PIX Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

Hello,

Please set an ASP capture and let us know the result when you attempt to connect to the PIX inside interface

     cap asp type asp-drop all circular-buffer

     show cap asp | includre remote_host_ip

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card