07-08-2013 11:40 PM - edited 03-11-2019 07:09 PM
Hi,
I have PIX 515e firewall i can surf the internet due to global NATING in firewall.But i am confused i cannot ping any website fron my any LAN computer.
Solved! Go to Solution.
07-09-2013 12:26 AM
Hi,
It only allows reply messages to come through the firewall for which you have sent the original ICMP Echo message.
- Jouni
07-08-2013 11:46 PM
Hi,
Might be due to missing the ICMP Inspection/Fixup
They could be added with the following commands
fixup protocol icmp
fixup protocol icmp error
- Jouni
07-08-2013 11:47 PM
Hi
Can you please explain how i check it and waht is purpose of fixup protocol in PIX.
07-08-2013 11:55 PM
Hi,
Well I am not sure what your software version is. If you have 7.x (or newer) software level then you could probably use the command
show run policy-map
They would be shown as "inspect icmp" and "inspect icmp error"
If you have a 6.x software then I would suggest just using
show run
The "fixup" configurations would then be at the very start of the configurations.
There are 2 different formats of the command. The "fixup" is the old and the "inspect" is the new one. They are essentially the same thing.
The ICMP Inspection is meant to enable the firewall to keep track of ICMP Echos sent through it and the replys arriving back through the firewall. If you have not enabled it, you would have to allow ICMP Echo reply on the ACL attached to the "outside" interface.
Hope this helps
- Jouni
07-09-2013 12:02 AM
Hi,
I have following os version of my firweall
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name makkays.com
clock timezone PKT 5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
If i will allow on ACL that is attached to my outside interface.it will create problems i want no one can ping my Firewall outside inside.
07-09-2013 12:06 AM
Hi,
Then you should add the commands
fixup protocol icmp
fixup protocol icmp error
As you can see they are not listed in the above configuration.
Adding them wont allow ICMP from "outside" to "inside". It will simply make it possible that the firewall will allow the Echo Reply message back to the "inside" host when it has sent the ICMP Echo messge through the firewall.
Also with the ACL solution you dont have to allow ICMP Echo through the firewall. It would just be Echo Reply messages that are a reply to an ICMP Echo sent from behind your firewall. But adding the "fixup" commands is a better choice.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
07-09-2013 12:15 AM
clock timezone PKT 5
fixup protocol dns maximum-
fixup protocol ftp 21
fixup protocol h323 h225 17
fixup protocol h323 ras 171
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
And when i try to add one of above command it gives me the error
pixfirewall# conf t
pixfirewall(config)# fixup protocol icmp
Usage: [no] fixup protocol icmp error
pixfirewall(config)#
And i am still cann't ping any website
07-09-2013 12:18 AM
Hi,
I guess it was a bit different on the older softwares.
Seems you will just need to add
fixup protocol icmp error
- Jouni
07-09-2013 12:20 AM
I add above one but still can't ping???
07-09-2013 12:21 AM
Or,
You could possibly add following ACL lines to your ACL attached to the "outside" interface. Naturally with the ACL name you currently have
access-list OUTSIDE-ACL permit icmp any any echo-reply
access-list OUTSIDE-ACL permit icmp any any source-quench
access-list OUTSIDE-ACL permit icmp any any unreachable
access-list OUTSIDE-ACL permit icmp any any time-exceeded
- Jouni
07-09-2013 12:23 AM
Please confirm me by adding this any one can ping my outside interface from internet??/
07-09-2013 12:26 AM
Hi,
It only allows reply messages to come through the firewall for which you have sent the original ICMP Echo message.
- Jouni
07-09-2013 12:32 AM
Thanks I have added above command in ACL .Its Start pinging.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide