Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
4
Replies

ICMP problem

amit_shalini
Level 1
Level 1

‎01-21-2005 06:22 AM - edited ‎03-09-2019 10:04 AM

i am able to ping from interface with security low security level to high security level but not able to ping from high level security interface to low level security interface.

My low level security interface has the ip address 10.1.0.254/255.255.248.0 and high level security interface has the ip address 10.3.1.2/255.255.248.0.

this high level security interface is connected to a router's ethernet port with ip address 10.3.1.1/255.255.248.0. there are a 4 sites terminated at the router by serial interfaces.

one of these sites is having the internal ip address range of 10.2.16.0/255.255.248 i.e. 10.2.16.1 to 10.2.23.254. i am able to ping any machine of this from my lan (ip address range 10.1.0.0/255.255.248.0 i.e. 10.1.0.1 to 10.1.7.254) but the other sites machine are not able to ping my sites.

main configuration lines that are related to the issue are:-

nameif ethernet2 lanside security0

nameif ethernet3 wanside security90

ip address lanside 10.1.0.254 255.255.248.0

ip address wanside 10.3.1.2 255.255.248.0

static(wanside,lanside) 10.2.16.0 10.2.16.0 netmask 255.255.248.0

route wanside 10.2.16.0 255.255.248.0 10.3.1.1 1

access-list wanside_in permit icmp any any

access-list lanside_in permit icmp any any

access-group wanside_in in interface wanside

access-group lanside_in in interface inside

pls help me on this

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎01-21-2005 06:28 AM

Have you checked this document:

http://www.cisco.com/warp/public/110/31.html

Jay

0 Helpful

amit_shalini
Level 1
Level 1
In response to jmia

‎01-21-2005 07:47 AM

ya i have already read it.

see what i understand from this documentation is that firstly you have to create a static mapping as you r coming from outside(low security) to inside(high security).then you have to create an access-list and apply it on the outside interface.

in my scenario i am able to ping from lanside (low security) to wanside (high security) but wanside machines(high security) are not able to ping my lanside (low security) machines.

i have given the static mapping:

static (wanside,lanside) 10.2.16.0 10.2.16.0 netmaak 255.255.248.0

access-list wanside_in permit icmp any any

access-group wanside_in in interface wanside.

but users on the remote wan site are not able to ping my lan machines.

i am able to ping their machines.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to amit_shalini

‎01-22-2005 07:02 AM

Might it be that you have a routing issue and the host that you wan't to ping does simple not know where to send back the icmp echo-reply ?

Remember: ICMP is not a stateful protocol, to allow ping trought the PIX you need to add additional lines into your interface (lower level) access-list !

You have done this with an permit icmp any any.

Might be interesting to see what cisco packets sniffer (capture command) sees on the PIX.

----- INFO ------------------------------

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

0 Helpful

garethhinton
Level 1
Level 1

‎01-22-2005 03:53 PM

Pix config looks good to me, as long as nothing else in the path is stopping your icmp traffic. Might seem a bit silly, but a regular one recently - Just check that Windows (or any other security) on the lanside machines isn't stopping the icmp echo's.

0 Helpful
Customers Also Viewed These Support Documents