05-31-2010 12:31 AM - edited 03-11-2019 10:52 AM
Hi,
my inside interface user can't ping outside interface even after i have configured acl which allow ping and also icmp response, configured icmp inspection also.find below configuration of pix 515E which is running ios version 8.0(3)
PIX Version 8.0(3)
!
hostname FWALL
enable password f1/B5iV9rJ.dvsDE encrypted
names
dns-guard
!
interface Ethernet0
description P2P link
speed 100
duplex full
nameif outside1
security-level 0
ip address 24.0.0.2 255.255.255.0
!
interface Ethernet1
description LAN interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.11 255.255.255.0
!
interface Ethernet2
description Internet Gateway
speed 100
duplex full
nameif outside2
security-level 0
ip address 25.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix803.bin
ftp mode passive
clock timezone IST 5 30
same-security-traffic permit inter-interface
!
access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0
access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
logging host inside 192.168.10.11
mtu outside1 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
access-group icmpacl in interface outside1
access-group acl_inside in interface inside
route outside1 0.0.0.0 0.0.0.0 24.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map icmp-class
match access-list icmpacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class icmp-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d1afb781f4e40a7c4f8963cd853f94d9
: end
FWALL#
omitted unnecessary config,not using interface ethernet2.
thanks
Hasmukh
Solved! Go to Solution.
06-01-2010 06:49 AM
Hi,
The ''clear xlate'' command is to clear the translation table on the PIX/ASA.
If you're modifying the NAT configuration somehow, you should refresh the dynamic NAT table with the ''clear xlate'' command.
Alternative if you don't want to refresh the entire table you can clear specific IPs from the table with the ''clear xlate local x.x.x.x'' command.
The ''inspect icmp'' command is needed for the ASA to keep track of the ICMP connection and therefore allow the PING echo-reply back.
The ASA by default inspects only TCP and UDP traffic to allow the return packets.
To be able to inspect ICMP as well you need the command ''inspect icmp''
Federico.
05-31-2010 03:06 AM
You won't be able to ping the outside interface ip address of the PIX from internal LAN as it is not supported.
From internal LAN, you can only ping the PIX inside interface, as well as ping through the PIX, ie: you can ping the next hop ip address from the outside interface (24.0.0.1).
With PIX/ASA, you can only ping the directly connected interface, ie: from internal LAN, you can only ping the inside interface, and from outside, you can only ping the outside interface.
Hope that helps.
05-31-2010 11:31 PM
Hi Halijenn,
thanks for help,my problem is "i can't ping through pix" but the same network i can reach if i ping form outside interface, my topology is as below.
LAN 24.0.0.0/24 23.0.0.0/24 172.23.15.0/24
----------FIREWALL---------------------ROUTER 1-----------------------ROUTER 2-------------------AT&T ROUTER(no access on this router)
.2 .1 .1 .2 .13 LAN .254
i don't find any problem with access-list, could u tell me is their anything i can do so i can ping through firewall, i can ping router2's 172.23.15.13 ip address from outside interface of pix but not from inside interface.
05-31-2010 11:49 PM
Let me put it like this.
ASA can only "talk" with destinations/sources that is on the interface closer to that said source/destination.
You cannot talk from/to inside ineterface with a destination which is available from the outside interface.
05-31-2010 11:59 PM
Hi Latosiewicz,
yes i can't talk any destination from inside interface which i can talk from outside interface, so the problem is my LAN users can't reach any destination.
any suggestions
thanks
06-01-2010 12:05 AM
Is it your LAN users or the ASA itself having problems accessing those hosts?
Show us some logging, informational level would be a start.
06-01-2010 01:29 AM
You would need to add NAT as well:
nat (inside) 1 192.168.10.0 255.255.255.0
global (outside1) 1 interface
Hope that helps.
06-01-2010 05:41 AM
Hi halijenn,
i configured suggested nat config but still same problem, find below show run output to help u understand where i am wrong.
thanks for all yr help
06-01-2010 05:49 AM
Did you perform "clear xlate" after adding the nat/global statements? if not, please perform "clear xlate".
Then you might also want to add icmp inspection globally:
policy-map global_policy
class inspection_default
inspect icmp
Please try to ping the following from inside host and advise if it's successfull:
ping 24.0.0.1
ping 23.0.0.1
06-01-2010 06:34 AM
Hi halijenn,
it was great help,thanks u very much............................................................
it did't understand two things, why do i need to run clear xlate cmd and why we have to inspect icmp.
thanks
Hasmukh
06-01-2010 06:49 AM
Hi,
The ''clear xlate'' command is to clear the translation table on the PIX/ASA.
If you're modifying the NAT configuration somehow, you should refresh the dynamic NAT table with the ''clear xlate'' command.
Alternative if you don't want to refresh the entire table you can clear specific IPs from the table with the ''clear xlate local x.x.x.x'' command.
The ''inspect icmp'' command is needed for the ASA to keep track of the ICMP connection and therefore allow the PING echo-reply back.
The ASA by default inspects only TCP and UDP traffic to allow the return packets.
To be able to inspect ICMP as well you need the command ''inspect icmp''
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide