01-21-2005 06:22 AM - edited 03-09-2019 10:04 AM
i am able to ping from interface with security low security level to high security level but not able to ping from high level security interface to low level security interface.
My low level security interface has the ip address 10.1.0.254/255.255.248.0 and high level security interface has the ip address 10.3.1.2/255.255.248.0.
this high level security interface is connected to a router's ethernet port with ip address 10.3.1.1/255.255.248.0. there are a 4 sites terminated at the router by serial interfaces.
one of these sites is having the internal ip address range of 10.2.16.0/255.255.248 i.e. 10.2.16.1 to 10.2.23.254. i am able to ping any machine of this from my lan (ip address range 10.1.0.0/255.255.248.0 i.e. 10.1.0.1 to 10.1.7.254) but the other sites machine are not able to ping my sites.
main configuration lines that are related to the issue are:-
nameif ethernet2 lanside security0
nameif ethernet3 wanside security90
ip address lanside 10.1.0.254 255.255.248.0
ip address wanside 10.3.1.2 255.255.248.0
static(wanside,lanside) 10.2.16.0 10.2.16.0 netmask 255.255.248.0
route wanside 10.2.16.0 255.255.248.0 10.3.1.1 1
access-list wanside_in permit icmp any any
access-list lanside_in permit icmp any any
access-group wanside_in in interface wanside
access-group lanside_in in interface inside
pls help me on this
01-21-2005 06:28 AM
01-21-2005 07:47 AM
ya i have already read it.
see what i understand from this documentation is that firstly you have to create a static mapping as you r coming from outside(low security) to inside(high security).then you have to create an access-list and apply it on the outside interface.
in my scenario i am able to ping from lanside (low security) to wanside (high security) but wanside machines(high security) are not able to ping my lanside (low security) machines.
i have given the static mapping:
static (wanside,lanside) 10.2.16.0 10.2.16.0 netmaak 255.255.248.0
access-list wanside_in permit icmp any any
access-group wanside_in in interface wanside.
but users on the remote wan site are not able to ping my lan machines.
i am able to ping their machines.
01-22-2005 07:02 AM
Might it be that you have a routing issue and the host that you wan't to ping does simple not know where to send back the icmp echo-reply ?
Remember: ICMP is not a stateful protocol, to allow ping trought the PIX you need to add additional lines into your interface (lower level) access-list !
You have done this with an permit icmp any any.
Might be interesting to see what cisco packets sniffer (capture command) sees on the PIX.
----- INFO ------------------------------
See: Handling ICMP Pings with the PIX Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The PIX and the traceroute Command
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
examples:
Traveroute
Microsoft:
access-group 101 in interface outside
access-list 101 permit icmp any host YourPublicIP unreachable
access-list 101 permit icmp any host YourPublicIP time-exceeded
access-list 101 permit icmp any host YourPublicIP echo-reply
UNIX:
access-group 101 in interface outside
access-list 101 permit icmp any host YourPublicIP unreachable
access-list 101 permit icmp any host YourPublicIP time-exceeded
ICMP command example
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit host 192.168.1.30 echo inside
icmp permit host 192.168.1.31 echo inside
icmp permit host 192.168.1.20 echo inside
icmp permit host 192.168.1.40 echo inside
icmp permit host 192.168.1.100 echo inside
sincerely
Patrick
01-22-2005 03:53 PM
Pix config looks good to me, as long as nothing else in the path is stopping your icmp traffic. Might seem a bit silly, but a regular one recently - Just check that Windows (or any other security) on the lanside machines isn't stopping the icmp echo's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide