Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
5
Helpful
3
Replies

Cisco PIX Will Not Pass Traffic

Go to solution
brandonbittinger
Level 1
Level 1

‎03-22-2015 05:12 PM - edited ‎03-11-2019 10:40 PM

Background:

I recently acquired an old Cisco PIX 515e and I have been playing around with it. This is my first attempt at a firewall config. I am using it in routed mode and it is running EIGRP. It's neighbor, a 2821, is running EIGRP as well and the two are set to be neighbors. When i view the routing table I am able to see all the routes on each of the devices, so I believe EIGRP is working correctly. 

 

Setup:

On the PIX, Ethernet 0 is set with an IP address of 172.16.32.2 and is connected to Gigabit Ethernet 0/1 on the 2821 with an IP address of 172.16.32.1. The inside interface of the PIX, Ethernet 1, is 192.168.32.1. The 2821 has the 192.168.12.0 network as well as the 192.168.13.0 network. In order to get to the internet a ADSL WIC card is installed in the 2821 with a DHCP address, the 2821 has a gateway of last resort set to the ISP's gateway. One the PIX the gateway of last resort is set to 172.16.32.1.

 

Issue:

My issue is that from the PIX I am able to ping everything from the 192.168.12.0 network and the 192.168.13.0 network, and even ping internet addresses; however, nothing from the outside of the PIX is able to ping anything on the inside of the PIX (the 192.168.32.0 network). Along with that nothing on the inside of the PIX is able to ping anything but the inside interface of the PIX. I had added several access-lists to try to resolve the issue but so far have not had any luck resolving the issue. I did read through my research that traffic should be able to flow from a more secure interface to a less secure one no problem and you just need to set up access-lists fro inbound traffic, which is what I thought I had done. 

 

Thoughts:

As I said above I do not believe this is an issue with EIGRP, I am able to see all of the routes on both devices. Also I would not be able to ping the other network from the PIX had those roots not been in place because the packets would not have a return path. I have not enabled NAT or PAT but this almost seems like an issue with that. Does the PIX have some sort of embedded NAT configuration? I do not want to use NAT or PAT for this set up, so if there would be a way to disable that I'd like to do so. 

 

Side Note:

 I had tried the PIX in transparent mode as well briefly and did not have too much luck either. I designated the inside and outside interfaces and assigned a management IP but was still unable to pass traffic through the device, I could ping the management IP from both sided however. I do not believe I have an issue with the device, I believe it is more an issue with my config.

 

Closing:

Any help would be greatly appreciated! As I said, I am new to firewalls and am probably missing something simple. I have attached the config of the PIX. Please let me know if I can provide any addition information to help you help me resolve the issue! 

 

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎03-23-2015 02:34 PM

Try adding the command fixup protocol icmp

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎03-23-2015 02:34 PM

Try adding the command fixup protocol icmp

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
brandonbittinger
Level 1
Level 1
In response to Marius Gunnerud

‎03-24-2015 04:20 PM

That did the trick thank you! I am now able to get out to the internet and ping everything with no issues! The only thing I can't do it ping the inside interface of the PIX (192.168.32.1) from the outside. Is this something else I need to adjust?

 

Also for future reference would you (or anybody who read this) be able to elaborate on what the "fixup protocol icmp" command does?

 

Thank you for your help!

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to brandonbittinger

‎03-25-2015 12:09 AM

You will not be able to ping an ASA / PIX interface which is not the ingress interface.  This is a security measure and no way to get around it.

The fixup protocol icmp command instructs the PIX to inspect ICMP traffic passing through the ASA and place it in the state table. This command is now replaced by inspect icmp in the global policy map of the ASA, although you can use the fixup command and the ASA will translate it to inspect icmp.

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card