Solved: icmp problem on 515E

nki · ‎01-28-2005

internet---r1--pix---r2--3512---lan.

We are able to ping from lan ( high level ) to the Internet , but outside host ( low lever) ,and from muy r1 could nt ping neither to inside pix nor lan.

my access-list is configured to allow icmp traffic from outside to LAN.

Here is my pix inmput:

IX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 dmz2 security10

enable password encrypted

passwd encrypted

hostname Pix515

domain-name

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any source-quench

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any host 192.168.1.2 echo

pager lines 24

logging on

logging buffered errors

logging trap debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu dmz2 1500

ip address outside 192.168.1.1 255.255.255.0

ip address inside 172.16.1.1 255.255.255.0

ip address dmz 172.16.128.1 255.255.255.0

no ip address dmz2

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address dmz2

pdm history enable

arp timeout 7200

global (outside) 1 192.168.1.50-192.168.1.253

global (outside) 1 192.168.1.254

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

route inside 10.0.0.0 255.255.255.0 172.16.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ max-failed-attempts 3

aaa-server tacacs+ deadtime 10

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec security-association lifetime seconds 2700

telnet 172.16.1.2 255.255.255.255 inside

telnet 192.168.1.2 255.255.255.255 inside

telnet 10.0.0.2 255.255.255.255 inside

telnet 10.0.0.3 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3000

dhcpd ping_timeout 750

dhcpd domain

dhcpd auto_config outside

terminal width 80

Cryptochecksum:: end

Pix515#

Thanks in advance

sig

thisisshanky · ‎01-28-2005

Federico's post should help you configure the statics. Also when I meant "from outside to inside you will need a public IP" I really meant from the internet.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

thisisshanky · ‎01-28-2005

Where are the static commands. You cannot ping from outside to inside without using a public IP. Or else the host on the internet has to use VPN to the PIX and then ping the host behind r2.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

nki · ‎01-28-2005

Hei

access-list 102 permit icmp any host 192.168.1.2 echo

access-group 102 in interface outside

With this access-list as I have read , I could ping from r1 to Lan.

how should configure static commands in order to ping from r1 to lan ???

thanks thisisshanky

thisisshanky · ‎01-28-2005

Federico's post should help you configure the statics. Also when I meant "from outside to inside you will need a public IP" I really meant from the internet.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

federico_caminos · ‎01-28-2005

Hello :

See this document

http://www.cisco.com/warp/public/110/31.html

As an example you can try this :

You will not be able to ping from the outside with your present configuration.

What you can do is try the following configuration.

The "static" statements will allow you to map two global IP addresses to your inside router IPs.

First static will map the global ip 192.16.1.3 to (r2:172.16.1.2) and the second "static" will map the global ip 192.168.1.4 to the IP address of r2 on network 10.0.0.0.

static (inside,outside) 192.168.1.3 172.16.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.1.3 10.0.0.1 netmask 255.255.255.255 0 0

access-list ACL-INBOUND permit icmp any host 192.168.1.3 echo

access-group ACL-INBOUND in interface outside

Let me know how it goes.

federico_caminos · ‎01-28-2005

Sorry for the typo , the scond statement has 192.168.1.4 for the global IP

static (inside,outside) 192.168.1.3 172.16.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.1.4 10.0.0.1 netmask 255.255.255.255 0 0

access-list ACL-INBOUND permit icmp any host 192.168.1.3 echo

access-group ACL-INBOUND in interface outside

nki · ‎01-28-2005

Hei

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any source-quench

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any host 192.168.1.2 echo

static (inside,outside) 192.168.1.3 172.16.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.1.4 10.0.0.1 netmask 255.255.255.255 0 0

access-list 102 permit icmp any host 192.168.1.3 echo

access-list 102 permit icmp any host 192.168.1.4 echo

access-group 102 in interface outside

I still could nt ping to my LAN

access-group ACL-INBOUND in interface outside#access-group 102 in interface outside

thisisshanky · ‎01-28-2005

Are you pinging from R1 to lan or from the internet ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

nki · ‎01-28-2005

Hei

I am pinging from R1 , not From Internet.

I want to have connection between Router r1 and all devices in LAN , r2 and inside pix

Regards

federico_caminos · ‎01-28-2005

Hello :

Well this is just a workaround . a parcial solution . With the configuration I posted previously you should ping 192.168.1.3 and 192.168.1.4 and get a response without a problem.

In order to do what you request , you will have to map every local (inside) address to a global (outside) address , which is very unpractical.

Please read this document.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

thisisshanky · ‎01-28-2005

With your config, you should only be able to ping 172.16.1.2 and 10.0.0.1 (192.168.1.3 and .4) . Like Federico suggested you will have to have one to one mapping which does not sound like a feasible solution.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

nki · ‎01-29-2005

That`s correct , to ping to 172.16.2.1 , I have to use it`s mapping ip address 192.168.1.3 ( I see it from debug icmp trace .)

Thanks for your succefull help.

It`s not possible to ping direct to lan ip addresses from outside pix ???