Re: CANNOT PING OUTSIDE INTERFACE

r.kate · ‎01-21-2003

Hi ,

I am new to this pix environment so please excuse .

Any way I have got a pix with two interfaces . I can ping from any host on the inside network to any host on the outside network .But I Cannot ping the outside interface itself .debug shows on outbound traffic no inbound reply .

Any Ideas .

regards

steve.barlow · ‎01-21-2003

You can't ping the outside PIX interface from the inside network - that is normal behaviour. The PIX will only allow you to ping the local interface, not across to another interface (security issues, remember the PIX isn't a router).

Hope it helps.

Steve

mark.english · ‎01-27-2003

Steve-

I was under the understanding you could configure ICMP conduit command which would allow a ping access.

Please educate me on this issue.

Thanks-

Mark English

englishm@charter.net

steve.barlow · ‎01-28-2003

Sorry for the confusion.

You can ping through the PIX (with a conduit or an access-list) to a host/device on any interface from any interface. You can also ping the PIX interface that you are connected to. But you can't ping a PIX interface that you aren't local/connected to. For example, a host on the inside can ping the inside interface, but a host on the inside can't ping the DMZ or outside interface. In other words, the first interface that you hit on the pix is the only interface you can ping.

For example:

pixfirewall# sh ip

System IP Addresses:

ip address outside x.x.x.250 255.255.255.248

ip address SOC 10.0.0.1 255.255.255.0

ip address DMZ 10.10.10.1 255.255.255.0

ip address inside 10.200.200.1 255.255.255.0

ip address VPN 172.31.0.1 255.255.0.0

ip address intf5 127.0.0.1 255.255.255.255

Current IP Addresses:

ip address outside x.x.x.250 255.255.255.248

ip address SOC 10.0.0.1 255.255.255.0

ip address DMZ 10.10.10.1 255.255.255.0

ip address inside 10.200.200.1 255.255.255.0

ip address VPN 172.31.0.1 255.255.0.0

ip address intf5 127.0.0.1 255.255.255.255

Now from my PC on the inside I can ping the inside interface:

C:\>ping 10.200.200.1

Pinging 10.200.200.1 with 32 bytes of data:

Reply from 10.200.200.1: bytes=32 time<1ms TTL=255

Ping statistics for 10.200.200.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

I can ping through the PIX to a host on the SOC interface network:

C:\>ping 10.0.0.111

Pinging 10.0.0.111 with 32 bytes of data:

Reply from 10.0.0.111: bytes=32 time<1ms TTL=255

Ping statistics for 10.0.0.111:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

But I can't ping the SOC interface:

C:\>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.0.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

pixfirewall# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

pixfirewall#

43: ICMP echo request (len 32 id 2 seq 7175) 10.200.200.80 > 10.200.200.1

44: ICMP echo reply (len 32 id 2 seq 7175) 10.200.200.1 > 10.200.200.80

45: ICMP echo request (len 32 id 2 seq 7431) 10.200.200.80 > 10.200.200.1

46: ICMP echo reply (len 32 id 2 seq 7431) 10.200.200.1 > 10.200.200.80

47: ICMP echo request (len 32 id 2 seq 7687) 10.200.200.80 > 10.200.200.1

48: ICMP echo reply (len 32 id 2 seq 7687) 10.200.200.1 > 10.200.200.80

49: ICMP echo request (len 32 id 2 seq 7943) 10.200.200.80 > 10.200.200.1

50: ICMP echo reply (len 32 id 2 seq 7943) 10.200.200.1 > 10.200.200.80

59: Outbound ICMP echo request (len 32 id 2 seq 8199) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

60: Outbound ICMP echo request (len 32 id 2 seq 8455) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

67: Outbound ICMP echo request (len 32 id 2 seq 8711) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

68: Outbound ICMP echo request (len 32 id 2 seq 8967) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

85: Outbound ICMP echo request (len 32 id 2 seq 10759) 10.200.200.80 > 10.200.200.80 > 10.0.0.111

86: Inbound ICMP echo reply (len 32 id 2 seq 10759) 10.0.0.111 > 10.200.200.80 > 10.200.200.80

91: Outbound ICMP echo request (len 32 id 2 seq 11015) 10.200.200.80 > 10.200.200.80 > 10.0.0.111

92: Inbound ICMP echo reply (len 32 id 2 seq 11015) 10.0.0.111 > 10.200.200.80 > 10.200.200.80

93: Outbound ICMP echo request (len 32 id 2 seq 11271) 10.200.200.80 > 10.200.200.80 > 10.0.0.111

94: Inbound ICMP echo reply (len 32 id 2 seq 11271) 10.0.0.111 > 10.200.200.80 > 10.200.200.80

95: Outbound ICMP echo request (len 32 id 2 seq 11527) 10.200.200.80 > 10.200.200.80 > 10.0.0.111

96: Inbound ICMP echo reply (len 32 id 2 seq 11527) 10.0.0.111 > 10.200.200.80 > 10.200.200.80

pixfirewall# no debu icm trac

ICMP trace off

Hope it helps.

Steve

johncheung · ‎01-30-2003

Steve,

Could you please clarify the icmp command on PIX Firewall software version 6.2? From my understanding of this command, a host on the inside can be allowed to ping the outside interface.

John

steve.barlow · ‎01-30-2003

The icmp command allows or prevents you from pinging a PIX interface. In other words, you can or can't ping the outside interface (for example) itself, depending on the command. If no ICMP command is configured, then the PIX accepts all ICMP traffic that terminates at any interface (including the outside interface).

An access-list lets you ping through the PIX (for example to an inside host).

However neither allows you to ping across to another interface (for example from the inside network to the outisde interface).

Steve

johncheung · ‎01-30-2003

But how do you explain the following example from the 6.2 command book:

3. Permit host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:

icmp permit host 172.16.2.15 echo-reply outside

icmp permit 171.22.1.0 255.255.255.0 echo-reply outside

icmp permit any unreachable outside

steve.barlow · ‎01-31-2003

Those commands allow that host or subnet to ping the outside of the PIX interface. With those commands in place, no one else will be able to ping the outside. If you don't specify those commands (i.e. the default), everyone on the outside can ping the outside interface, but now in your example only those IPs specified can. This command limits who can ping the pix interfaces. By default everyone can - again from cisco "If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at any interface (including the outside interface). "

Those IPs specified will only work if they are on the outside. Even if you enter those commands and ping from the inside with a source IP of those IPs, it won't work.

Test it for yourself to see. (my test below)

pixfirewall(config)# sh icmp

icmp permit host 10.200.200.80 echo-reply SOC

pixfirewall(config)#

pixfirewall(config)# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

97: Outbound ICMP echo request (len 32 id 2 seq 33280) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

104: Outbound ICMP echo request (len 32 id 2 seq 33536) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

105: Outbound ICMP echo request (len 32 id 2 seq 33792) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

106: Outbound ICMP echo request (len 32 id 2 seq 34048) 10.200.200.80 > 10.200.200.80 > 10.0.0.1

C:\>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.0.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

Steve

johncheung · ‎01-31-2003

Thanks Steve!!!!!

dsingleterry · ‎01-31-2003

side note of interest. When I want to know if my outside interface is picking up the right IP say from a DSL provider (pppoe), I telnet into the PIX from inside the network via the inside interface, and in the CLI itself I ping the outside IP that should be connected to the outside interface.

Dont know if that helps or not, but its an added troubleshooting tool I have used at times especially to check whats going on with VPDN using pppoe.