Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
7
Helpful
6
Replies

Cannot ping interfaces on PIX

cybrsage
Level 1
Level 1

‎10-27-2006 04:24 AM - edited ‎02-21-2020 01:16 AM

I can ping the local interface, but not the other two interfaces (Inside cannot ping DMZ, etc). Machines in each respective area cannot ping machines in any other area either.

Here is my config, any help would be appreciated (config has non-relevant items removes):

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security10

(standard fixup lines)

names

name 10.10.240.10 helix-local

name 1.1.1.5 helix-internet

access-list dmz1_in permit ip host helix-local any

access-list dmz1_in permit ip 192.168.140.0 255.255.255.0 host helix-local

access-list dmz1_in permit icmp any any

access-list outside_in permit icmp any any

icmp permit any outside

icmp permit any inside

icmp permit any dmz1

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

ip address outside 1.1.1.2 255.255.255.224

ip address inside 192.168.140.3 255.255.255.0

ip address dmz1 10.10.240.2 255.255.255.0

failover timeout 0:00:00

failover poll 7

failover ip address outside 1.1.41.3

failover ip address inside 192.168.140.4

failover ip address dmz1 10.10.240.3

failover link inside

pdm history enable

arp timeout 14400

global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.224

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz1,outside) helix-internet helix-local netmask 255.255.255.255 0 0

static (dmz1,inside) 10.10.240.0 10.10.240.0 netmask 255.255.255.0 0 0

static (inside,dmz1) 192.168.140.0 192.168.140.0 netmask 255.255.255.0 0 0

access-group dmz1_in in interface dmz1

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

(timeouts, etc)

floodguard enable

telnet 192.168.140.0 255.255.255.0 inside

telnet 192.168.140.0 255.255.255.0 dmz1

telnet timeout 5

ssh timeout 5

console timeout 0

Points are always given to those who help ;)

0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎10-27-2006 04:38 AM

Take a look here:

http://www.cisco.com/warp/public/110/31.html

Hope this helps

cybrsage
Level 1
Level 1
In response to jmia

‎10-27-2006 05:26 AM

I think I already have everything it shows...

access-list dmz1_in permit ip host helix-local any

access-list dmz1_in permit ip 192.168.140.0 255.255.255.0 host helix-local

access-list dmz1_in permit icmp any any

access-list outside_in permit icmp any any

icmp permit any outside

icmp permit any inside

icmp permit any dmz1

ip address outside 1.1.1.2 255.255.255.224

ip address inside 192.168.140.3 255.255.255.0

ip address dmz1 10.10.240.2 255.255.255.0

global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.224

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz1,outside) helix-internet helix-local netmask 255.255.255.255 0 0

static (dmz1,inside) 10.10.240.0 10.10.240.0 netmask 255.255.255.0 0 0

static (inside,dmz1) 192.168.140.0 192.168.140.0 netmask 255.255.255.0 0 0

access-group dmz1_in in interface dmz1

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

0 Helpful

rkazmierczak
Level 1
Level 1
In response to cybrsage

‎10-27-2006 06:22 AM

hi,

According to this config you should be able to ping hosts on the DMZ and the internet from the inside. But for some reason, you will never be able be able the DMZ or outside interface of pix from the inside. or the other way round.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to rkazmierczak

‎10-27-2006 07:05 AM

You cannot ping from the inside the PIX interface on the DMZ, the PIX does not allow that.

1.) You can ping, if you have configured the ICMP command, from the inside host the inside interface. Or from the DMZ the dmz interface.

2.) If you have configured the access-list correctly then you can ping a host on the DMZ from the inside host.

3.) You should be able to ping everything from the PIX itself.

sincerely

Patrick

0 Helpful

cybrsage
Level 1
Level 1
In response to Patrick Iseli

‎10-27-2006 07:42 AM

Yet it does not.

When I ping from the Inside to the DMZ, the ping trace shows the requests and translation happening but does not show any replies.

When I ping from the DMZ to the Inside, the ping trace shows requests, translations, and replies, but the PC shows no reply (100% failure).

0 Helpful

rkazmierczak
Level 1
Level 1
In response to cybrsage

‎10-28-2006 12:41 AM

Hi,

First make sure that the hosts definately respond to pings (ping them from the local lan).

If they do, there is only one explanation: a slight pix mulfunction, so to say. I had a simmilar problem once. I configured everything correctly but still it didn't work. After a reboot it worked fine. but it did start to work. From what you are saying it doesn't work for a longer time and that is strange :)

Try to remove and reapply the ACL, reboot etc.

In software 7.0 and higher you can enable icmp inspection which would allow to pings to come back event without the access-list.

Good luck

rafal

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card