Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5521
Views
0
Helpful
3
Replies

How to allow ping from inside to outside in 2900 router?

Mahmoud Marie
Level 1
Level 1

‎04-08-2013 04:13 AM - edited ‎03-11-2019 06:24 PM

Hi,

I have a Cisco router 2900 with firewall, i need to know how can i allow the ping from self zone to outside zone, i trried to create policy from self to outside but i still didn't allow ping or tracert, i get that message when i try to ping from cisco router:

"Unrecognized host or address, or protocol not running"

any help will be appreciated.

Thank you

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-08-2013 09:55 AM

Hello,

Do you have already a self-out and out-self zone-pair?????

If yes, proceed to share the configuration used, you must have 2 to zone-pairs created

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Mahmoud Marie
Level 1
Level 1
In response to Julio Carvajal

‎04-09-2013 02:20 AM

Hi jcarvaja

here is the used configuration:

Building configuration...

Current configuration : 5584 bytes

!

! Last configuration change at 09:00:20 UTC Tue Apr 9 2013 by admin

!

version 15.1

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service udp-small-servers

service tcp-small-servers

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

no logging console

enable secret 5

!

no aaa new-model

!

!

no ipv6 cef

ip source-route

ip gratuitous-arps

ip icmp rate-limit unreachable 1

ip cef

!

!

!

!

!

ip name-server 163.121.128.134

ip name-server 163.121.128.135

ip port-map user-custom-fleet port tcp 2000 list 1

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-324261422

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-324261422

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-324261422

certificate self-signed 01

  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323432 36313432 32301E17 0D313330 34303930 38343034

  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 34323631

  34323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  B8ABD60F 8C879B3B BC1C1643 48059AD2 F940A700 6D58161E 37D53E6E E028B806

  61EAA942 CED2A3C6 3FB3A47E 20E05B10 0941A9D8 38FFA6F9 D2B9E52C 225A57BA

  14F8842A A26E7E02 38E9F7C8 328504D0 5C3EEE41 CC75B237 BBD07CBA 1A850540

  2A5AAFAD 4553FB03 0E366211 9AC09967 4DC03082 0AF546A3 F6AA2739 1D8A8AA9

  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

  23041830 16801428 FEEB3910 B7A1D374 1F86BCD5 96CEDF75 8DF11E30 1D060355

  1D0E0416 041428FE EB3910B7 A1D3741F 86BCD596 CEDF758D F11E300D 06092A86

  4886F70D 01010405 00038181 006BBF7A 430905F6 D5B27B0D 96315504 87816DAA

  B5EA86D9 6E9A1D58 7B328C88 A6A358D0 00D035A9 8CDDEC41 15AF0108 F5CB1072

  B0485D7D CFC0D0CB 71E9B153 FB7B8B40 40C157E4 B254D01C 890D615F D8395545

  F0B47E0B 57341EB2 C0CE0039 DC18EAD6 078986F0 A5A5D04F D5041DB6 23CAA002

  4901248C 95B61A0B 3ED5B26A EF

      quit

license udi pid CISCO2901/K9 sn FCZ1526C3JL

!

!

object-group service Outside-Reply

icmp echo-reply

!

username admin privilege 15 secret 5

!

redundancy

!

!

!

!

ip finger

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any Deny_ALL

match access-group name dwdwd

class-map type inspect match-any Inside-Outside

match protocol http

match protocol https

match protocol dns

class-map type inspect match-any ICMP_RQST

match protocol icmp

!

!

policy-map type inspect Inside-Outside

class type inspect Inside-Outside

  inspect

class class-default

  drop

policy-map type inspect Self_to_Outside

class type inspect ICMP_RQST

  inspect

class class-default

  drop

policy-map type inspect Outside_to_Self

class type inspect Deny_ALL

  pass log

class class-default

  drop

!

zone security IN

zone security OUT

zone-pair security Self_to_Outside source self destination OUT

service-policy type inspect Self_to_Outside

zone-pair security Outside_to_Self source OUT destination self

service-policy type inspect Outside_to_Self

zone-pair security Inside-Outside source IN destination OUT

service-policy type inspect Inside-Outside

!

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 101.101.100.245 255.255.255.0

ip mask-reply

ip directed-broadcast

ip flow ingress

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 49.31.152.80 255.255.255.248

ip mask-reply

ip directed-broadcast

ip flow ingress

zone-member security IN

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

encapsulation frame-relay IETF

no fair-queue

frame-relay lmi-type q933a

!

interface Serial0/0/0.16 point-to-point

description $FW_OUTSIDE$

ip address 172.17.18.122 255.255.255.252

ip mask-reply

ip directed-broadcast

ip flow ingress

ip verify unicast reverse-path

zone-member security OUT

frame-relay interface-dlci 16  

!

interface Serial0/0/1

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

shutdown

clock rate 2000000

!

ip forward-protocol nd

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16

ip identd

!

ip access-list extended ICMP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended deeef

remark CCP_ACL Category=128

permit ip any any

ip access-list extended dwdwd

remark CCP_ACL Category=1

permit object-group Outside-Reply any any

!

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 196.219.234.77

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 101.101.100.0 0.0.0.255

access-list 2 permit 10.20.10.0 0.0.1.255

!

no cdp run

!

!

!

!

!

control-plane

!

!

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

login local

transport input all

line vty 5 15

login local

transport input all

!

scheduler allocate 20000 1000

end

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Mahmoud Marie

‎04-09-2013 09:41 AM

Hello.

Configuration is wrong,

policy-map type inspect Outside_to_Self

no class type inspect Deny_ALL

class type inspect ICMP_RQST

inspect

Let me know how it goes,

( If it does not work post the configuration with the changes)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card