Re: ICMP problem

adelasiri · ‎08-30-2006

i have a Mon-Server inside my LAN that collect SNMP data from my network .

also it use ping to test the device avilabilty . my senario : i Mon-Server is able to collect SNMP from router behinde PIX ( outside-sahci ) interface but it cannot ping it . given that when i enable icmp debug i am seeing the echo requestes come from Mon-Server through ( inside ) interface then get Natted , then echo-reply back from ( outside-sahci ) but it does not reach the Mon-server .

this my pix conf:

jbrunner007 · ‎08-30-2006

it appears you have 2 outside interfaces;

"outside" with security0

"outside-sahci" with security10

if the router you are trying to ping is on interface outside-sahci you just need to apply the acl to the interface. You already have the ACL in your config

access-list outside-sahci permit icmp any host Mon-Server echo-reply

apply it like the other 2 you already have applied, to permit the echo-replies...

access-group outside-sahci in interface outside-sahci

tschuss,

Joe

mpalardy · ‎08-30-2006

Please, apply the following command on the pix:

access-group outside-sahci in interface outside-sahci

Mike

adelasiri · ‎08-31-2006

Guys ,

still no lock , i cannot ping

mpalardy · ‎08-31-2006

Could you initiate a clear xlate command on the pix then see if you have ping reply.

Otherwise I'd suggest you to enable a syslog server (set to debug) and post syslogs here for further analysis

adelasiri · ‎08-31-2006

also clear xlate does not work

this syslog

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:STC-Router dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.255.132.9 to 10.255.128.129 on interface outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:10.1.1.9 dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.1.1.9 to 10.255.128.129 on interface outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 172.30.65.2 to 10.16.60.72 on interface outside"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:10.245.13.30 dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"

"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.245.13.30 to 10.255.128.129 on interface outside-sahci"

adelasiri · ‎09-01-2006

Guys ,

any help

cpembleton · ‎09-05-2006

From your syslog you appear to be pinging the outside interface of the pix from the inside network. "Deny icmp src outside-sahci"

Sorry but according to cisco it can't be done.

It's strange because I have 2 515e's one with 6.3(4) which this is true and pings don't work. But the other pix has 6.3(1) and it works. Both have the same config. Must be a bug in the earlier version.

See this doc:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

Thanks,

Chad

Please rate if this helps!