Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
3
Replies

PIX and PING

wallaceew
Level 1
Level 1

‎02-28-2013 07:43 AM

Hi,

I have an old cisco 506e running version 6.3(5).  I can ping from  10.252.5.5 to 184.106.249.99  However, from 10.252.6.66 I cannot ping.   All the config looks good apart from this:

ip address outside 94.56.18.49 255.255.255.248

ip address inside 10.252.5.2 255.255.255.224

the inside subnet does not include the 10.252.6 range

when i run an ICMP debug I get this:

350: ICMP echo-request: translating inside:10.252.5.5/512 to outside:94.56.18.49/0

351: ICMP echo-request from outside:10.68.24.109 to 10.252.5.5 ID=768 seq=61448 length=40

352: ICMP echo-reply from inside:10.252.5.5 to 10.68.24.109 ID=768 seq=61448 length=40

353: ICMP echo-reply from outside:184.106.249.99 to 94.56.18.49 ID=0 seq=26890 length=40

354: ICMP echo-reply: untranslating outside:94.56.18.49/0 to inside:10.252.5.5/512

355: ICMP echo-request from outside:10.68.24.109 to 10.252.5.5 ID=768 seq=61704 length=40

356: ICMP echo-reply from inside:10.252.5.5 to 10.68.24.109 ID=768 seq=61704 length=40

357: ICMP echo-request from inside:10.252.5.5 to 184.106.249.99 ID=512 seq=27146 length=40

358: ICMP echo-request: translating inside:10.252.5.5/512 to outside:94.56.18.49/0

359: ICMP echo-request from inside:10.252.6.66 to 184.106.249.99 ID=1 seq=1236 length=72

360: ICMP echo-reply from outside:184.106.249.99 to 94.56.18.49 ID=0 seq=27146 length=40

361: ICMP echo-reply: untranslating outside:94.56.18.49/0 to inside:10.252.5.5/512

362: ICMP echo-request from inside:10.252.5.5 to 184.106.249.99 ID=512 seq=27402 length=40

As you can see the ip address that works gets translated, the one that fails (10.252.6.66) does not get translated.

Does anyone understand if this is being caused by theinside ip addres range being incorrect ?

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-28-2013 07:48 AM

Hi,

Naturally you either have to have a route for the IP address that belongs to some other network on the PIX

Options are

  • You need a route towards the network that contains this host on the PIX
  • Change the PIX inside network mask
  • Change the host network adapter configurations

If there is a route for the host already on the PIX then you might just be missing a "nat" configuration line.

- Jouni

0 Helpful

wallaceew
Level 1
Level 1
In response to Jouni Forss

‎03-01-2013 01:33 AM

Hi,

Many thanks for coming back to me.  I do have a route to the network so if must be the subnet mask on the inside that needs changing.

thanks again

Eamonn

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to wallaceew

‎03-01-2013 01:39 AM

Hi,

If you issue "show route" on the PIX and you can see a route for another network that includes that source IP address doing the ICMP/PING then you simply need the NAT statement for it I think

nat (inside)

Where

  • = This could be the same number as the existing PAT rules on the PIX

- Jouni

0 Helpful
Customers Also Viewed These Support Documents