cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5601
Views
4
Helpful
10
Replies

PIX 515E unable to ping outside from inside

kiranthakur
Level 1
Level 1

Dear all,

I' d like to have some support for a very-basic PIX firewall configuration.

I 'm dealing with  PIX 515E.

Inside hosts can ping inside interface , outside hosts outside interface and so on...

Simply i cannot ping outside interface from inside hosts,

Inside host-192.168.1.0

Outside - any host like google.com, or to check my isp link's dns ip.

I have attached the pix configuration text file to test and please suggest what i did wrong.

Thanks.

Pankaj.

10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Try adding the configuration "fixup protocol icmp" to the configuration and try the ICMP again

- Jouni

cadet alain
VIP Alumni
VIP Alumni

Hi,

are you trying to ping outside hosts or the outside interface of the Pix , if this is the latter then it's impossible by design

and as far as i know there is no way to work around this.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks for your reply cadet alan,

I am simply trying to ping my isp's dns server to check the internet link is up or not, or simply trying to ping www.google.com, like sites, before few weeks this was working fine, i was getting reply from all this things, but after doing some modifications in cisco pix515e by one of the enginner, i am facing this issue.

julomban
Level 3
Level 3

Hello Kiran,

The PIX/ASA only responds to ICMP  traffic sent to the interface that traffic comes in on; you cannot send  ICMP traffic through an interface to a far interface.

This apply for ICMP and management access to the unit, only ping or access will work to your direct connect interface.

Regards,

Juan Lombana

Please rate helpful posts.

Hi all,

Thanks all for the valueable reply's.

last time i have done modification with following commands to access cisco pix 515e from telnet from outside interface:

access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip any any

access-list inside_access_out permit ip any any

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list outside_cryptomap_30 permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list 100 permit tcp any eq telnet host PIX_inside eq telnet

access-list 100 permit tcp any eq telnet host pix_outside eq telnet

access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet

after adding the above commands i am facing this, my internet link is up and working fine, but not able to get ping reply from internet isp or dns server ip, i.e- 202.56.230.5.

When you modified the outside interface ACL ,you have not permitted the ICMP. Try adding below command .It should work.

access-list 100 permit icmp any any

Pls rate the post if its helpful.

With Regards,

Safwan

Also,

To my understanding just adding the "fixup protocol icmp" to the configuration should allow the echo-reply messages back to the LAN host even though you have not opened ICMP on the outside ACL.

Did you add the "fixup" command earlier?

- Jouni

Hi Jouni,

I hav'nt added "fixup" command earlier, as linkis live and in use by the users, to avoid any interuption i hav'nt added, once the link is free i will try your suggestion.

THanks for your reply.

Hi,

It shouldnt affect your current network operation at all but if you want to be on the safe side while making changes thats understandable.

You could then go with Safwans suggestion/solution then thats above. Which is to open the ICMP in the access-list you have enabled on your outside interface at the moment.

As Safwan says, It does seem you have changed the ACL that you are using on the outside interface at some point.

access-list 100 permit tcp any eq telnet host PIX_inside eq telnet

access-list 100 permit tcp any eq telnet host pix_outside eq telnet

access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet

access-group 100 in interface outside

- Jouni

Thanks Jouni, safwan, Juan Lombana, alain..

All your feedback was very helpful, the command:

access-list 100 permit icmp any any

is very helpful in my configuration, now i am able to send echo and check my internet's link, or to check other outside ip's.

Thanks All..

Regards.

Review Cisco Networking for a $25 gift card