Re: Pinging through the PIX

wsudds · ‎07-09-2002

I've tried just about everything to ping the outside of the pix from a workstation with no success. Here is the recent command tried:

permit icmp echo-reply

access-list 100 permit icmp any host [external-ip-address] echo

access-group 100 in interface outside

rsnider · ‎07-09-2002

Here's the list you need for ping and trace for an outside address

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any unreachable

access-group 100 in interface outside

Do you have an access list on the inside interface? If you do you will need to permit icmp there as well.

Ron

wsudds · ‎07-09-2002

These are my ip addresses on the devices.

I've applied the access list you adviced inside and outside,

still no success. Am I missing something? THX in Advance.

192.168.201.1 255.255.255.0-Router

192.168.200.2

192.168.200.1 255.255.255.0-Pix

192.168.100.2

switch

192.168.100.100 255.255.255.0- Workstation

rsnider · ‎07-09-2002

Are you trying to ping 192.168.200.1or are you trying to ping 192.168.200.2?

I don't think that you can ping the outside interface from inside, but you should be able to ping the next hop(router). Is your default route set to

route outside 0.0.0.0 0.0.0.0 192.168.200.2

Ron

wsudds · ‎07-09-2002

I have my route outside set at 192.168.200.1 which is the routers inside interface, that maybe the problem, only thing the pix is not allowing me to change it to 192.168.200.2 which is the pix outside interface. THX Wil

rsnider · ‎07-09-2002

If your network is as follows " internet--router--hub/switch--pix--hub/switch--workstation " then the pix default gateway should be set to the routers inside interface. If this is so then you should be able to ping the router inside interface from the pix or the work station. You will need a hub or switch or cross-over cable between each device. Are the link lights green on all the interfaces? You will also need to allow echo-reply. Try the command "show interface e0" The first line will tell you if the interface is functioning.

Ron

wsudds · ‎07-09-2002

My network is internet--router--crossover cable to pix/switch--workstation.

THX Wil

edadios · ‎07-09-2002

Form a pc on the inside of the pix, you can not ping the outside interface of the pix.

If you could ping from the pix itself to the outside router, and you want the pc behind the pix to also ping the outside router, you need a NAT and global statement, then you could add an access-list or just do "conduit permit icmp any any" to allow ping from the inside to the outside.

Here is a link to a good documentation: http://www.cisco.com/warp/public/707/28.html#in-out

wsudds · ‎07-12-2002

Is there a simple config I can paste into the pix just to test connectivity.

mns0523 · ‎07-12-2002

If you have access lists on the inside and outside interfaces, put this command in the outside access list (of course with your access list number)....

access-list outside permit icmp any any

On the inside access list add this line......

access-list inside permit icmp any any

This is going to add these lines to the bottom of your access list, so make sure your not denying icmp any where above it. This will allow all icmp from inside to outside and outside to inside.

Hope this helps.....

edadios · ‎07-12-2002

To ping form insdie to outside network.

add a route on router for the network behind the pix

router->ip route 192.168.100.0 255.255.255.0 192.168.200.1

add nat and global and conduit on pix

pix-> nat (inside) 1 0 0

global(outside) 1 interface

conduit permit icmp any any

And then the ping from inside to outside should work.

Regards,