Re: Ping servers from PIX and PIX from servers

edp · ‎02-06-2002

I am having a problem that stems from trying to set up a WebSense server in our DMZ. It seems as though the DMZ servers cannot ping the DMZ interface of the PIX, and the PIX cannot ping (or contact of any sort) any of the DMZ servers. The servers in the DMZ can ping each other fine. The DMZ servers can access the internet, internal PCs (according to access lists), and bascially have all appropriate functionality. The DMZ inerface IP address is the gateway for all DMZ servers. The servers can resolve the correct MAC address when attempting to ping the DMZ interface, but get no response. Ditto for the PIX trying to ping the server: arp resolves, but no response. My DMZ's first access list statement says permit icmp any any, so I am pretty sure it's not an access list issue. For troubleshooting purposes, I even added an ip permit any any to the end of it and still the same problem. Sorry this was so lengthy, but wanted to give as much info as possible. I am being pressured to get WebSense working in the next two weeks, but have to resolve this issue first, since the PIX keeps sending SNMPs to Syslog server saying it cannot contact URL server. HELP !!!!

rrbleeker · ‎02-07-2002

Pings to and from the firewall are not set by access control lists, but by the 'icmp' command.

In your case, you want to enable the following commands on you DZM interface (assuming that 10.1.1.0/24 is your DMZ network:

icmp permit 10.1.1.0 255.255.255.0 echo dmz

icmp permit 10.1.1.0 255.255.255.0 echo-reply dmz

edp · ‎02-08-2002

OK, I didn't have those commands in, but I don't have them in on any of the other interfaces, yet all hosts behind those respective interfaces can still ping the interface itself. But I DID add the aforementioned statements with no change in the behavior of dmz hosts or the PIX to the dmz. Any other suggestions ?

mike-banks · ‎02-08-2002

Try removing the permit icmp any any from the DMZ zone. By default the PIX is suppose to allow any host connected to that interface to ping it. Do a show route statement and make sure the PIX knows how to get to the DMZ, ie. correct subnet range listed for that interface. Are you using any conduit statements? You do not want to be using conduits and access-list togethor.

edp · ‎02-08-2002

OK, I have removed the access-list statement allowing icmp traffic. The reason it was there is that (I was told) if the icmp packet hits that rule first, it will reduce the amount of processing time for that packet. May not be true, but I didn't know any better. At any rate, I have removed the statement, verified that the PIX knows the attached subnet is connected to the DMZ interface, and that we aren't using conduit and access list statements. No change in behavior of pings to DMZ hosts from PIX and PIX to hosts. I also added the icmp permit (ip address) (netmask) echo dmz and echo-reply dmz and THAT didn't make a difference either ! Any other thoughts ?

mike-banks · ‎02-08-2002

If you telnet into the PIX, can you ping host on the inside interface? I would try enabling logging for the icmp message and see if it indicates where the pings are failing.