cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
247
Views
0
Helpful
1
Replies

PIX Xlate problem

peterstudley
Level 1
Level 1

Hello,

I have a problem with a pix xlate entry. I'm able to ping across a pix with the 1.1.48 scope but not a routed 10.1.50 routed packet. I know the packet is getting to the pix b/c I can ping the inside interface but for some reason it won't go across it. With source l3 address. Thanks.

my config is below

interface ethernet0 auto shutdown

interface ethernet1 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet5 intfail security10

access-list 161 permit ip any any

access-list 160 permit ip any any

access-group 161 in interface inside

access-group 160 in interface outside

ip address inside 10.1.48.2 255.255.255.248

ip address outside 65.197.133.147 255.255.255.240

nat (inside) 1 10.1.0.0 255.255.0.0

global (outside) 1 65.197.133.152 netmask 255.255.255.240

route outside 0.0.0.0 0.0.0.0 65.197.133.145 25

inside 10.1.0.0 255.255.0.0 10.1.48.1 10

1 Reply 1

Not applicable

For inside users to be able to ping external hosts, you need to permit Internet Control Message Protocol (ICMP) echo reply packets back through the PIX. The PIX does not dynamically open up access for the ICMP reply packets.

The solution is to apply an access-list to the outside interface permitting echo reply packets back in.

For example:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

For more information, refer to Handling ICMP Pings with the PIX Firewall.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco