01-21-2003 09:35 AM - edited 03-09-2019 01:46 AM
Hi ,
I am new to this pix environment so please excuse .
Any way I have got a pix with two interfaces . I can ping from any host on the inside network to any host on the outside network .But I Cannot ping the outside interface itself .debug shows on outbound traffic no inbound reply .
Any Ideas .
regards
01-21-2003 11:04 AM
You can't ping the outside PIX interface from the inside network - that is normal behaviour. The PIX will only allow you to ping the local interface, not across to another interface (security issues, remember the PIX isn't a router).
Hope it helps.
Steve
01-27-2003 11:57 PM
Steve-
I was under the understanding you could configure ICMP conduit command which would allow a ping access.
Please educate me on this issue.
Thanks-
Mark English
01-28-2003 05:27 AM
Sorry for the confusion.
You can ping through the PIX (with a conduit or an access-list) to a host/device on any interface from any interface. You can also ping the PIX interface that you are connected to. But you can't ping a PIX interface that you aren't local/connected to. For example, a host on the inside can ping the inside interface, but a host on the inside can't ping the DMZ or outside interface. In other words, the first interface that you hit on the pix is the only interface you can ping.
For example:
pixfirewall# sh ip
System IP Addresses:
ip address outside x.x.x.250 255.255.255.248
ip address SOC 10.0.0.1 255.255.255.0
ip address DMZ 10.10.10.1 255.255.255.0
ip address inside 10.200.200.1 255.255.255.0
ip address VPN 172.31.0.1 255.255.0.0
ip address intf5 127.0.0.1 255.255.255.255
Current IP Addresses:
ip address outside x.x.x.250 255.255.255.248
ip address SOC 10.0.0.1 255.255.255.0
ip address DMZ 10.10.10.1 255.255.255.0
ip address inside 10.200.200.1 255.255.255.0
ip address VPN 172.31.0.1 255.255.0.0
ip address intf5 127.0.0.1 255.255.255.255
Now from my PC on the inside I can ping the inside interface:
C:\>ping 10.200.200.1
Pinging 10.200.200.1 with 32 bytes of data:
Reply from 10.200.200.1: bytes=32 time<1ms TTL=255
Reply from 10.200.200.1: bytes=32 time<1ms TTL=255
Reply from 10.200.200.1: bytes=32 time<1ms TTL=255
Reply from 10.200.200.1: bytes=32 time<1ms TTL=255
Ping statistics for 10.200.200.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
I can ping through the PIX to a host on the SOC interface network:
C:\>ping 10.0.0.111
Pinging 10.0.0.111 with 32 bytes of data:
Reply from 10.0.0.111: bytes=32 time<1ms TTL=255
Reply from 10.0.0.111: bytes=32 time<1ms TTL=255
Reply from 10.0.0.111: bytes=32 time<1ms TTL=255
Reply from 10.0.0.111: bytes=32 time<1ms TTL=255
Ping statistics for 10.0.0.111:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
But I can't ping the SOC interface:
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
pixfirewall# debug icmp trace
ICMP trace on
Warning: this may cause problems on busy networks
pixfirewall#
43: ICMP echo request (len 32 id 2 seq 7175) 10.200.200.80 > 10.200.200.1
44: ICMP echo reply (len 32 id 2 seq 7175) 10.200.200.1 > 10.200.200.80
45: ICMP echo request (len 32 id 2 seq 7431) 10.200.200.80 > 10.200.200.1
46: ICMP echo reply (len 32 id 2 seq 7431) 10.200.200.1 > 10.200.200.80
47: ICMP echo request (len 32 id 2 seq 7687) 10.200.200.80 > 10.200.200.1
48: ICMP echo reply (len 32 id 2 seq 7687) 10.200.200.1 > 10.200.200.80
49: ICMP echo request (len 32 id 2 seq 7943) 10.200.200.80 > 10.200.200.1
50: ICMP echo reply (len 32 id 2 seq 7943) 10.200.200.1 > 10.200.200.80
59: Outbound ICMP echo request (len 32 id 2 seq 8199) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
60: Outbound ICMP echo request (len 32 id 2 seq 8455) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
67: Outbound ICMP echo request (len 32 id 2 seq 8711) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
68: Outbound ICMP echo request (len 32 id 2 seq 8967) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
85: Outbound ICMP echo request (len 32 id 2 seq 10759) 10.200.200.80 > 10.200.200.80 > 10.0.0.111
86: Inbound ICMP echo reply (len 32 id 2 seq 10759) 10.0.0.111 > 10.200.200.80 > 10.200.200.80
91: Outbound ICMP echo request (len 32 id 2 seq 11015) 10.200.200.80 > 10.200.200.80 > 10.0.0.111
92: Inbound ICMP echo reply (len 32 id 2 seq 11015) 10.0.0.111 > 10.200.200.80 > 10.200.200.80
93: Outbound ICMP echo request (len 32 id 2 seq 11271) 10.200.200.80 > 10.200.200.80 > 10.0.0.111
94: Inbound ICMP echo reply (len 32 id 2 seq 11271) 10.0.0.111 > 10.200.200.80 > 10.200.200.80
95: Outbound ICMP echo request (len 32 id 2 seq 11527) 10.200.200.80 > 10.200.200.80 > 10.0.0.111
96: Inbound ICMP echo reply (len 32 id 2 seq 11527) 10.0.0.111 > 10.200.200.80 > 10.200.200.80
pixfirewall# no debu icm trac
ICMP trace off
Hope it helps.
Steve
01-30-2003 03:38 PM
Steve,
Could you please clarify the icmp command on PIX Firewall software version 6.2? From my understanding of this command, a host on the inside can be allowed to ping the outside interface.
John
01-30-2003 04:57 PM
The icmp command allows or prevents you from pinging a PIX interface. In other words, you can or can't ping the outside interface (for example) itself, depending on the command. If no ICMP command is configured, then the PIX accepts all ICMP traffic that terminates at any interface (including the outside interface).
An access-list lets you ping through the PIX (for example to an inside host).
However neither allows you to ping across to another interface (for example from the inside network to the outisde interface).
Steve
01-30-2003 07:14 PM
But how do you explain the following example from the 6.2 command book:
3. Permit host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
icmp permit host 172.16.2.15 echo-reply outside
icmp permit 171.22.1.0 255.255.255.0 echo-reply outside
icmp permit any unreachable outside
01-31-2003 05:45 AM
Those commands allow that host or subnet to ping the outside of the PIX interface. With those commands in place, no one else will be able to ping the outside. If you don't specify those commands (i.e. the default), everyone on the outside can ping the outside interface, but now in your example only those IPs specified can. This command limits who can ping the pix interfaces. By default everyone can - again from cisco "If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at any interface (including the outside interface). "
Those IPs specified will only work if they are on the outside. Even if you enter those commands and ping from the inside with a source IP of those IPs, it won't work.
Test it for yourself to see. (my test below)
pixfirewall(config)# sh icmp
icmp permit host 10.200.200.80 echo-reply SOC
pixfirewall(config)#
pixfirewall(config)# debug icmp trace
ICMP trace on
Warning: this may cause problems on busy networks
97: Outbound ICMP echo request (len 32 id 2 seq 33280) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
104: Outbound ICMP echo request (len 32 id 2 seq 33536) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
105: Outbound ICMP echo request (len 32 id 2 seq 33792) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
106: Outbound ICMP echo request (len 32 id 2 seq 34048) 10.200.200.80 > 10.200.200.80 > 10.0.0.1
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
Steve
01-31-2003 06:44 AM
Thanks Steve!!!!!
01-31-2003 08:36 AM
side note of interest. When I want to know if my outside interface is picking up the right IP say from a DSL provider (pppoe), I telnet into the PIX from inside the network via the inside interface, and in the CLI itself I ping the outside IP that should be connected to the outside interface.
Dont know if that helps or not, but its an added troubleshooting tool I have used at times especially to check whats going on with VPDN using pppoe.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide