Paul,

I have a static entry and expilictly allowed icmp using an outside access-list

Here is the config for reference

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxx

passwd xxxxx

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outsidein permit icmp any any

pager lines 24

logging monitor debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 172.16.x x.255.255.0

ip address inside 172.16.9.11 255.255.255.0

no ip address dmz

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm history enable

arp timeout 14400

static (inside,outside) 172.x.x.x.16.9.0 netmask 255.255.255.0 0 0

static (outside,inside) 172.x.x.x.16.9.0 netmask 255.255.255.0 0 0

access-group outsidein in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.15.1 1

route outside 172.16.9.0 255.255.255.128 172.16.15.1 2

route outside 172.16.9.128 255.255.255.128 172.16.15.1 1

route inside 192.168.53.0 255.255.255.0 172.16.9.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.0 255.255.0.0 inside

telnet 192.168.0.0 255.255.0.0 dmz

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

pixfirewall(config)#

Hi Mohammed,

I see the problem now. The thing is that the config as it stands will not work. There needs to be more separation between the networks. I think it is possible the PIX is becoming confused with regard to routing the return packets. There needs to be another address range used to enable the connectivity and this must be the address utilised in the communication.

Try changing the translated address to something else:

eg.

static (inside,outside) 172.16.100.0 172.16.9.0 netmask 255.255.255.0 0 0

static (outside,inside) 172.16.100.0 172.16.9.0 netmask 255.255.255.0 0 0

Then ping 172.16.100.1

The source of 172.16.9.111 will be translated to 172.16.100.111

The dest address of 172.16.100.1 will be translated to 172.16.9.1 with the return traffic translated vice versa.

The router needs a static route pointing to the PIX for the 172.16.100.0/24 subnet.

Cheers,

Paul