Ping PIX

gnaveen · ‎03-15-2006

[R4] --- PIX --- [R1]

I need to configure a static route for 10.1.1.x network on R4 and configure PIX so that R4

can ping 10.1.1.1 (R1). But, the configuration does not seem to work.

R4

!

interface Ethernet0

ip address 20.x.x.x.x.255.0

!

ip route 10.1.1.1 255.255.255.0 20.1.24.254

!

PIX

!

nameif ethernet0 inside security100

nameif ethernet1 outside security0

!

ip address inside 10.1.1.254 255.255.255.0

ip address outside 20.x.x.x.x.255.0

!

static (inside,outside) 20.x.x.x.x.1.1 netmask 255.255.255.255 0 0

access-list MYACLOUT permit ip host 20.1.24.4 host 10.1.1.1

access-group MYACLOUT in interface outside

icmp permit host 20.1.24.4 echo outside

!

icmp deny any outside

icmp deny any inside

!

R1

!

interface Ethernet0

ip address 10.1.1.1 255.255.255.0

!

Ping does not work ?

R4# ping 10.1.1.1

....

pkhatri · ‎03-15-2006

Hi,

Can you try the following config on the PIX:

static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 0 0

instead of:

static (inside,outside) 20.1.24.4 10.1.1.1 netmask 255.255.255.255 0 0

Hope that helps - pls rate the post if it does.

Paresh

gnaveen · ‎03-16-2006

No, it did not work.

R4#ping 20.1.24.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.24.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R4#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R4#

gnaveen · ‎03-16-2006

No, it did not work.

R4#ping 20.1.24.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.24.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R4#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R4#

bcarroll · ‎03-16-2006

the icmp permit host 20.1.24.4 echo outside is allowing the host 20.1.24.2 to ping the pix, not the server that you have the static for. Add ICMP to your access-list and you should be good to go.

access-list MYACLOUT permit icmp any host 20.1.24.4

Hope this helps.

oabduo983 · ‎04-03-2006

Simple!

Need to have a route back,

Type the following command on R1:

ip route 20.0.0.0 255.0.0.0 10.1.1.254

It should work after that...

All the best.

laurent.geyer · ‎04-13-2006

This should get you started:

R4:

no ip route 10.1.1.1 255.255.255.0 20.1.24.254

ip route 10.1.1.0 255.255.255.0 20.1.24.254

PIX:

ip address outside 20.1.24.254 255.255.255.0

no static (inside,outside) 20.x.x.x.x.1.1 netmask 255.255.255.255 0 0

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

access-list MYACLOUT permit icmp any any

no access-list MYACLOUT permit ip host 20.1.24.4 host 10.1.1.1

route outside 0.0.0.0 0.0.0.0