Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1120
Views
10
Helpful
5
Replies

Nested Firewalls

danbryan80
Level 1
Level 1

‎04-17-2012 09:13 AM - edited ‎03-11-2019 03:54 PM

I am not able to ping a public IP address of 4.2.2.2 from a device on my network.  Does anyone have Ideas what could be preventing this?

A little about my network:

ISP > Pix 515 > Switch > Pix 501 > Device

Pix 515

outside dhcp setroute

inside(10.100.60.1/16)

Switch

--All Users except pix 501 are connected to it recieve an IP address and are able to ping 4.2.2.2

Pix 501

outside dhcp setroute

inside (172.16.0.1/24)

Pix recieved a 10.100.60.0 /16 address.

Pix is able to ping 10.100.60.1

Pix is NOT ABLE to ping 4.2.2.2

===PING TEST===

DansFW(config)# ping 10.100.60.1

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

DansFW(config)# ping 4.2.2.2

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

===ROUTING INFO===

DansFW(config)# show route

        outside 0.0.0.0 0.0.0.0 10.100.60.1 1 DHCP static

        outside 10.100.0.0 255.255.0.0 10.100.60.23 1 CONNECT static

        inside 172.16.0.0 255.255.255.0 172.16.0.1 1 CONNECT static

=====CONFIG ===

https://gist.github.com/2406839

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎04-17-2012 09:43 AM

Hi,

Since you have the PIX501 on the LAN and not directly facing the Internet can you try adding the command and try again.

icmp permit any outside

If you want to be more specific the command format is

icmp permit

- Jouni

danbryan80
Level 1
Level 1
In response to Jouni Forss

‎04-17-2012 01:52 PM

Thanks for the suggestion, but it appears to be the same.

DansFW(config)# icmp permit any outside

DansFW(config)# ping 4.2.2.2

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

        4.2.2.2 NO response received -- 1000ms

DansFW(config)# ping 10.100.60.1

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

        10.100.60.1 response received -- 0ms

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to danbryan80

‎04-17-2012 04:18 PM

Hi,

Have you enabled "inspect icmp" in the PIX515?

And have you also allowed ICMPs in the PIX515 access-list?

- Jouni

danbryan80
Level 1
Level 1
In response to Jouni Forss

‎04-18-2012 07:29 AM

Its a Pix 501, and it doesnt seem to support the command inspect.  It is however passing data.  I hooked a client up to it and the client is able to browse. Just ping seems to fail. 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to danbryan80

‎04-18-2012 08:43 AM

Hi,

I meant the PIX515 at the edge of the network. Aint the PIX501 behind it?

Though now that I think of it I guess you already have the "inspect icmp" rule enabled on the PIX515 if the hosts on its inside can ping the address you mentioned? Aint the users in the same network as PIX501 outside interface?

Have you been checking the logs on the PIX515 to see if theres any echo replies coming from the target IP address?

I'm not totally sure if an old PIX501 has any addiotional configurations needed to allow ICMP when your using its interface to ping something instead of a host behind it.

I think though that theres guides on how to configure the PIX to handle ICMP

Have you tried to attach an access-list on the outside interface of the PIX501 in the direction "in" and allowing ICMP to the outside interface? Or if you have an access-list already configured, add a permit line to it.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card