12-17-2007 06:44 AM - edited 03-12-2019 05:51 PM
Okay I thought I had this problem solved but it seems I have a different problem all together. So here is my situation... I have two servers behind a PIX 501. The PIX has a static external IP, and both servers have their own static external IPs that are being forwarded through the PIX to local IPs. I can ping the PIX from an outside network, but I cannot ping either of the servers external IPs.
Any help will be appriciated here.
Thanks!
12-18-2007 12:03 AM
Make sure software firewalls installed on server permit ICMP (Like windows firewall) try temporarily disabling then ping
12-18-2007 06:58 AM
jfbeam, ip does not include icmp.
12-18-2007 07:26 AM
Okay here is where I stand. I can now ping out from the server, but still I cannot ping the external IP addresses of either of the servers. Note that I am using a static route for the external IPs to the internal ones (Not sure if that makes any difference). But here is the updated running config:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname homeVOIP
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network pptp_servers
network-object host 74.xx.xx.55
network-object host 74.xx.xx.54
access-list inbound permit icmp any any
access-list inbound permit udp any object-group pptp_servers eq domain
access-list inbound permit tcp any object-group pptp_servers eq www
access-list inbound permit tcp any object-group pptp_servers eq pptp
access-list inbound permit gre any object-group pptp_servers
access-list outbound permit ip 10.0.0.0 255.0.0.0 any
access-list outbound deny ip any any log
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.xx.xx.56 255.255.255.248
ip address inside 10.xx.xx.81 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) 74.xx.xx.55 10.xx.xx.85 netmask 255.255.255.255 0 0
static (inside,outside) 74.xx.xx.54 10.xx.xx.84 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 74.xx.xx.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Thanks again for all the help.
12-18-2007 09:03 AM
You have to allow the ping reply in your outbound acl since ip does NOT include icmp.
access-list outbound permit icmp any any
12-18-2007 12:17 PM
Okay I entered that access-list in but I still cannot ping the external IP addresses...
12-18-2007 12:53 PM
If following commands do not work, I recommend you to upgrade your IOS to 6.3(5)
no conduit permit icmp any any
conduit permit icmp host 77.xx.xx.55 any
conduit permit icmp host 77.xx.xx.54 any
icmp permit any outside
one last possibility if above does not work
no floodguard enable
again double-check if ICMP is enabled in any software firewall (make sure it is not allowed to a specific range of IPs, like windows firewall options)
12-18-2007 03:34 PM
I entered your settings, and still it does not work. Could you point me in the right direction to upgrade to firmware?
Thanks.
12-18-2007 07:37 PM
I entered your settings and I am still not able to ping the servers. Can you point me in the right direction as to where I can download the updated firmware? And I am still open to other ideas....
Thanks for the help!
12-19-2007 01:12 AM
You can download 6.3(5) from following link
http://www.cisco.com/pcgi-bin/tablebuild.pl?topic=268439592
But you need a CCO account
12-20-2007 10:06 AM
I upgraded the firmware but the problem still exists. Could this have something to do with the static routes? And if I set my servers to the external IPs could I still use PPTP for secure remote connections?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide