cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1329
Views
0
Helpful
5
Replies

Can't ping or connect to PIX from outside untill ping sent from inside

hartleyp
Level 1
Level 1

Hi,

I have succesfully created a IPSec tunnel to a PIX, the problem is that sometimes I can't connect to the PIX

I have enabled ICMP on the PIX, I can't ping form outside.

If I send a ping out of the PIX from behind I can then ping from outside and also create the tunnel.

What could be causing this??

Thanks

5 Replies 5

rgrcommo
Level 1
Level 1

Do you have:

access-list 101 permit icmp any host (ip of host you are tying to ping)

access-group 101 in interface ouside

Do you have a static..? then make sure you have:

static (inside,outside) ext int ip (ip of host you are tying to ping)

make sure you have a route also..

There are no access-group statements in the config at all.

The IP I'm trying to ping is the internet facing port of the PIX.

The ping must be getting though because it passes the router before it, it's just not getting back

Do you think this could be an arp problem, I will try putting in a perment entry into the PIX config

the arp thing was not an issue, arp entries are there at either end..

Telneted into the router next to it and still cannot ping it from there, it's on the same segment too!!

Do you think the PIX could be faulty?

I simply can't understand how sending a ping from the PIX opens up the connection... frustrating

Hi-

Does not matter if on the same segment. You do have to make sure that you have a conduit statement or an access-list (which must be applied to an interface i.e outside) to allow icmp to go through.

On the PIX you can do a : ( debug icmp trace ) and it will show you if you are getting any echo-request packets hitting the inbound interface.

PIX# debug icmp trace --> enter

it will give you a little warning mesg..

Now ping from the router and on the PIX you should see the output.

this is a good link also to help you out:

http://www.cisco.com/warp/public/110/top_issues/pix/pix_index.shtml

To undo the debug: PIX# no debug icmp trace -->enter

I can see what you are saying but,

how can it be that when you send a ping from the secure side of the pix out onto the net that you can subsequently then ping the PIX from the net and bring up the tunnel.

Surely any ACL or lack of it still stop the connection in this case too?

Review Cisco Networking for a $25 gift card