Re: PIX, server, ping problem...

homeboarder8 · ‎12-17-2007

Okay I thought I had this problem solved but it seems I have a different problem all together. So here is my situation... I have two servers behind a PIX 501. The PIX has a static external IP, and both servers have their own static external IPs that are being forwarded through the PIX to local IPs. I can ping the PIX from an outside network, but I cannot ping either of the servers external IPs.

Any help will be appriciated here.

Thanks!

homeboarder8 · ‎12-17-2007

Just to give some more information, I have pptp set up for the external IP addresses on the servers. One I am connected through pptp I can ping the internal IP address. Could pptp be the problem?

Thanks.

Alan Huseyin Kayahan · ‎12-17-2007

Hi Austin

Try this

access-list outside_access_in permit icmp any host externalIPofserver1

access-list outside_access_in permit icmp any host externalIPofserver2

Regards

homeboarder8 · ‎12-17-2007

Thanks for the response. I tried your recommendations and still I get the "Request timed out" message when trying to ping the servers.

Other ideas?

Just to clarify some things... I am able to PPTP & RDP to the servers. But I am not able to ping the external IP addresses from an external network.

Alan Huseyin Kayahan · ‎12-17-2007

Please post your config

homeboarder8 · ‎12-17-2007

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname homeVOIP

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network pptp_servers

network-object host 74.xx.xx.55

network-object host 74.xx.xx.54

access-list inbound permit tcp any host 74.xx.xx.55 eq www

access-list inbound permit tcp any host 74.xx.xx.55 eq domain

access-list inbound permit udp any host 74.xx.xx.55 eq domain

access-list inbound permit tcp any host 74.xx.xx.55 eq pptp

access-list inbound permit tcp any host 74.xx.xx.54 eq pptp

access-list inbound permit tcp any host 74.xx.xx.54 eq www

access-list inbound deny ip any any log

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

access-list acl_inbound permit tcp any object-group pptp_servers eq pptp

access-list acl_inbound permit gre any object-group pptp_servers

access-list acl-inbound permit udp any any eq domain

access-list acl-inbound permit udp any eq domain any

access-list acl-inbound permit tcp any any eq domain

access-list acl-inbound permit tcp any eq domain any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 74.xx.xx.56 255.255.255.248

ip address inside 10.xx.xx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 74.xx.xx.55 10.xx.xx85 netmask 255.255.255.255 0 0

static (inside,outside) 74.xx.xx.54 10.xx.xx.84 netmask 255.255.255.255 0 0

access-group acl_inbound in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 74.xx.xx.58 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

acomiskey · ‎12-17-2007

access-list acl-inbound permit icmp any host 74.xx.xx.55

access-list acl-inbound permit icmp any host 74.xx.xx.54

access-list outbound permit icmp any any echo-reply

homeboarder8 · ‎12-17-2007

I entered in the above yet I still cannot ping the external IP addresses. Even when I try to ping from the PIX I get "NO response received".

Other thoughts?

homeboarder8 · ‎12-17-2007

I'm just throwing stuff out there but could this have something to do with ARP? I did a "show arp" and noticed I there are some different IP addresses stored in there...

homeVOIP(config)# show arp

outside 74.xx.xx.58 0013.f746.d8e3

outside 74.xx.xx.57 0013.1011.2f09

inside 10.xx.xx.84 00c0.9f21.a901

sbaddipu · ‎12-17-2007

Do you see the pings - echo requests on the server? Sometimes, I have seen office laptops (special images) are configured not to respond to pings? I ended up spending 2 hours debugging a similar issue.

Satya

homeboarder8 · ‎12-17-2007

Yes I don't think it has anything to do with that. I can ping everything fine (the PIX, other external IP addresses) just not the 2 external IPs for the servers. I did some more debugging and noticed that I cannot ping OUT from the servers either. If you need any other information please let me know.

Thanks!

acomiskey · ‎12-17-2007

To ping from inside to outside you will need...

access-list acl-inbound permit icmp any any echo-reply

access-list outbound permit icmp any any echo

jfbeam · ‎12-17-2007

For starters, pick an access list name and stay with it. You have *3* "inbound" acl's defined: (1) inbound, (2) acl_inbound, and (3) acl-inbound. Notice the underscore vs. dash. "acl_inbound" (underscore) is the one that's active. This is why I dislike access-lists; call me old, but "conduit permit icmp any any" has never failed me.

Your outbound filter is unnecessary under normal circumstances. The access list ("outbound") doesn't have anything to block unless something on the internal network is screwed up. Unless management software complains about not having this filter, I'd remove it. People always forget they have to allow traffic in both directions. (Add a vote for conduits. *grin*)

Your inbound acl (and lets settle on "inbound") needs to allow icmp in (and the replies back out if there's a filter in the other direction.)

! "inbound"

clear access-list inbound

access-list inbound permit icmp any any

access-list inbound permit tcp any object-group pptp_servers eq domain

access-list inbound permit tcp any object-group pptp_servers eq www

access-list inbound permit tcp any object-group pptp_servers eq pptp

access-list inbound permit gre any object-group pptp_servers

access-group inbound in interface outside

As it stands, the outbound list will not prevent icmp traffic -- ip includes icmp.

If that still doesn't work, "conduit permit icmp any any" will. ('tho management software tends to complain about using conduits.)

Note about "conduit": Cisco depreciated conduits a long time ago. However, current versions of PDM (3.0+) don't complain about them and will actually create them. So, they aren't as Evil(tm) as Cisco once taught.

homeboarder8 · ‎12-17-2007

Okay so from what I understand, I should delete the acls inbound and acl-inbound and replace them with the acl inbound above?

Thanks for your help!

jfbeam · ‎12-17-2007

They're not being used, so they just take up space (and confuse people.) I rolled them all into "inbound".

And the domain line should be udp, not tcp.

access-list inbound permit udp any object-group pptp_servers eq domain

(tcp is only used for zone transfers.)