08-30-2006 05:06 AM - edited 03-09-2019 04:03 PM
i have a Mon-Server inside my LAN that collect SNMP data from my network .
also it use ping to test the device avilabilty . my senario : i Mon-Server is able to collect SNMP from router behinde PIX ( outside-sahci ) interface but it cannot ping it . given that when i enable icmp debug i am seeing the echo requestes come from Mon-Server through ( inside ) interface then get Natted , then echo-reply back from ( outside-sahci ) but it does not reach the Mon-server .
this my pix conf:
08-30-2006 11:22 AM
it appears you have 2 outside interfaces;
"outside" with security0
"outside-sahci" with security10
if the router you are trying to ping is on interface outside-sahci you just need to apply the acl to the interface. You already have the ACL in your config
access-list outside-sahci permit icmp any host Mon-Server echo-reply
apply it like the other 2 you already have applied, to permit the echo-replies...
access-group outside-sahci in interface outside-sahci
tschuss,
Joe
08-30-2006 12:05 PM
Please, apply the following command on the pix:
access-group outside-sahci in interface outside-sahci
Mike
08-31-2006 04:24 AM
Guys ,
still no lock , i cannot ping
08-31-2006 06:33 AM
Could you initiate a clear xlate command on the pix then see if you have ping reply.
Otherwise I'd suggest you to enable a syslog server (set to debug) and post syslogs here for further analysis
08-31-2006 08:25 AM
also clear xlate does not work
this syslog
"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:STC-Router dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"
"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.255.132.9 to 10.255.128.129 on interface outside-sahci"
"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:10.1.1.9 dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"
"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.1.1.9 to 10.255.128.129 on interface outside-sahci"
"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 172.30.65.2 to 10.16.60.72 on interface outside"
"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: Deny icmp src outside-sahci:10.245.13.30 dst inside:10.255.128.129 (type 0, code 0) by access-group outside-sahci"
"8/31/2006 7:10:44 PM" 10.16.60.252 Warning "Aug 31 2006 20:10:25: IDS:2000 ICMP echo reply from 10.245.13.30 to 10.255.128.129 on interface outside-sahci"
09-01-2006 06:00 AM
Guys ,
any help
09-05-2006 04:57 AM
From your syslog you appear to be pinging the outside interface of the pix from the inside network. "Deny icmp src outside-sahci"
Sorry but according to cisco it can't be done.
It's strange because I have 2 515e's one with 6.3(4) which this is true and pings don't work. But the other pix has 6.3(1) and it works. Both have the same config. Must be a bug in the earlier version.
See this doc:
Thanks,
Chad
Please rate if this helps!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide