cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1276
Views
0
Helpful
4
Replies

Can't ping internal client from Pix 515

ejeangilles
Beginner
Beginner

I just setup my home network with Pix 515 acting as my router/firewall but I can't seem to ping my internal PC from my ASA. I can access the internet and ping my Pix 515 inside interface from my pc but I can't ping my pc from my Pix 515. I can also renew/release IP's from my PC. I also did a packet tracer and it says that it was dropped due to an access list but I have one in place. Also my switch has the default config. Below is my config

Internet <----> Comcast modem <-----> Pix 515 <-------> Cisco switch <-----> PC

MYFIREWALL# sh run

: Saved

:

PIX Version 8.0(4)28

!

hostname MYFIREWALL

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 173.x.x.114 255.255.255.248

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

ftp mode passive

clock timezone EST -5

access-list 101 extended permit icmp any host 192.168.1.5 echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 20000

logging buffered debugging

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) interface 10.10.10.103 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 173.x.x.118 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 68.87.68.162 68.87.74.162

!

dhcpd address 10.10.10.100-10.10.10.150 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

!

!

prompt hostname context

Cryptochecksum:61717969523c7b3fe51286c96c733c27

MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.103 detail$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.10.0      255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x435ca18, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.10.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

4 Replies 4

Plinio Brandao
Beginner
Beginner

Hi Edwin,

Maybe a simple question, but you have any firewall enabled at your PC? Some times we can do a ping, but we can't receive a ping.

Another test, if you create an ACL at INSIDE interface, permiting ICMP, what's the result?

Plínio Monteiro

plinio is right , you need to close your windows firewall from control plan.

here's another test way, you can make a span on your switch :

monitor session 1 source interface fx/x -> connect to pc

monitor session 1 destination interface fx/x -> conn to another pc which running a wireshark or sniffer.

it will help you to decide the packet lost in which segment.

Sorry for the delay. After research I found out the problem was the that no ip directed broadcast was enabled on my switch vlan. Once I enabled it started working and ping was being received on my Pix.

Good job

Best regards.

Zhongyu Huang

From: ejeangilles

Date: 2012-04-02 09:55

To: Zhongyu Huang

Subject: - Re: Can't ping internal client from Pix 515

Home

Re: Can't ping internal client from Pix 515

created by Edwin Jean-Gilles in Firewalling - View the full discussion

Sorry for the delay. After research I found out the problem was the that no ip directed broadcast was enabled on my switch vlan. Once I enabled it started working and ping was being received on my Pix.

Reply to this message by going to Home

Start a new discussion in Firewalling at Home

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers