cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2078
Views
29
Helpful
24
Replies

PIX, server, ping problem...

homeboarder8
Level 1
Level 1

Okay I thought I had this problem solved but it seems I have a different problem all together. So here is my situation... I have two servers behind a PIX 501. The PIX has a static external IP, and both servers have their own static external IPs that are being forwarded through the PIX to local IPs. I can ping the PIX from an outside network, but I cannot ping either of the servers external IPs.

Any help will be appriciated here.

Thanks!

24 Replies 24

Make sure software firewalls installed on server permit ICMP (Like windows firewall) try temporarily disabling then ping

jfbeam, ip does not include icmp.

Okay here is where I stand. I can now ping out from the server, but still I cannot ping the external IP addresses of either of the servers. Note that I am using a static route for the external IPs to the internal ones (Not sure if that makes any difference). But here is the updated running config:

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

hostname homeVOIP

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network pptp_servers

network-object host 74.xx.xx.55

network-object host 74.xx.xx.54

access-list inbound permit icmp any any

access-list inbound permit udp any object-group pptp_servers eq domain

access-list inbound permit tcp any object-group pptp_servers eq www

access-list inbound permit tcp any object-group pptp_servers eq pptp

access-list inbound permit gre any object-group pptp_servers

access-list outbound permit ip 10.0.0.0 255.0.0.0 any

access-list outbound deny ip any any log

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 74.xx.xx.56 255.255.255.248

ip address inside 10.xx.xx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 74.xx.xx.55 10.xx.xx.85 netmask 255.255.255.255 0 0

static (inside,outside) 74.xx.xx.54 10.xx.xx.84 netmask 255.255.255.255 0 0

access-group inbound in interface outside

access-group outbound in interface inside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 74.xx.xx.58 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Thanks again for all the help.

You have to allow the ping reply in your outbound acl since ip does NOT include icmp.

access-list outbound permit icmp any any

Okay I entered that access-list in but I still cannot ping the external IP addresses...

If following commands do not work, I recommend you to upgrade your IOS to 6.3(5)

no conduit permit icmp any any

conduit permit icmp host 77.xx.xx.55 any

conduit permit icmp host 77.xx.xx.54 any

icmp permit any outside

one last possibility if above does not work

no floodguard enable

again double-check if ICMP is enabled in any software firewall (make sure it is not allowed to a specific range of IPs, like windows firewall options)

I entered your settings, and still it does not work. Could you point me in the right direction to upgrade to firmware?

Thanks.

I entered your settings and I am still not able to ping the servers. Can you point me in the right direction as to where I can download the updated firmware? And I am still open to other ideas....

Thanks for the help!

You can download 6.3(5) from following link

http://www.cisco.com/pcgi-bin/tablebuild.pl?topic=268439592

But you need a CCO account

I upgraded the firmware but the problem still exists. Could this have something to do with the static routes? And if I set my servers to the external IPs could I still use PPTP for secure remote connections?

Thanks!

Review Cisco Networking for a $25 gift card