Cannot Ping PIX 525 inside interface

Hi, I can not ping the interface e1 of a new 525 PIX running V6.35. I configured the address e1 and tried, but I can't ping the laptop connected directly to it, or vice versa... ACL has added to what icmp any an and the IP a whole and applied the e1 interface. Still can not ping... any idea why this is happening?... I'm suspect a hardware problem or cable, the cable must be crossver or directly through... I tired to connect to a switch also but same result... interface e1 is towards the top and to the top and show no problem... nor log shows no info as to why this happens... any suggestion is appreciated.

Thank you

Hello

A single pix failover license does not work like a normal pix, so you can not 'test' with her before connecting. Once that connect you to your primary pix, that it will automatically update the IOS on the unit of failover and reproduce the config, so none of this is required of you before hand. I found this process much easier by using serial failover cable first, once the installation is finished and then in my case, I use the failover LAN based that later, I migrated to. Here's a couple of useful documents that you can review. Your version of the software may require the updated documentation.

http://www.Cisco.com/en/us/customer/products/HW/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/failover.htm#1076500

Tags: Cisco Security

Similar Questions

Cisco ezvpn ASAs cannot ping each other inside interfaces

I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA.

I found the following links that describes a scenario similar to mine, but nothing on one of them helped me.
http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-ping

I joined sanitized versions of these two configs. Any help is appreciated.

Hi Adam

The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem.

Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'.

something like:
```
nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
```
as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same. Cordially Véronique

Cannot ping PIX 515e Interfaces

I know it's a very silly question for this forum, but I have already tried many things and cannot get the answer from the PIX firewall interfaces.

It's my (very easy) installation:

Using a FastEthernet port on router, I have a cable connected directly to the outside I / F of the PIX-515e. (Crossover cable works, I have already tested). Router <-->PIX directly connected.

I configured the PIX firewall to allow pings (I used different commands):

ICMP allow any response of echo outdoors

ICMP allow all outside

ICMP permitted - echo outside response

I tried to configure each of them and also combined.

Also tried to send the PIX to its default values. Supposed to be after that the PIX should allow all pings if no "icmp" command is configured.

I have configured the ports on both sides to 100 Full

On both sides of the link (PIX and router) I have the links to the top. The lights are on.

The 'show interest' on the PIX firewall shows to the top/top

The same thing on the router...

The two interfaces are configured in

10.1.1.0/24 (10.1.1.1 & 10.1.1.2)

What I am doing wrong?

This should be very easy...

Hello

Majority of the time interfaces refuses explicitly to ICMP packets unless you indicate otherwise. Here is a link to a pretty good setup guide... Have a look at the link to the ping Security Appliance Interfaces section in this guide. I'm really frustrated myself during the installation/testing phase because the pings are not working and it helped. Hope this helps a little and makes your life easier =) (rate if it please and thank you)

http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00805521b6.html#wp1059645

Thank you

Chris

Cannot ping ASA inside the interface via VPN

Hello

I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?

Thanks for your suggestions.

Remi

Hello

You must have the 'inside access management' command configured on the SAA.

If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem

-Jouni

Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================

Here is a skeleton of the FWa configuration:

name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interface

interface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240

the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object

the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-object

outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outbound

card crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.

=========================================================

FWb:

name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-network

interface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0

the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object

the DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-object

inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0

Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside

tunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.

=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

Ping Successul FWa inside the interface on FWb

FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....

FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWb

FWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...

FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

===========================
Unsuccessful ping of FWa to inside2 on FWb interface

FWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...

FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....

==================================================================================

Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

=======================

Thank you

Hi odelaporte2,

Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

It may be useful

-Randy-

Cannot ping computers on the subnet remote site vpn while to set up

Hi all

I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.

the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip

Here is my scenario:

LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant

LAN1: 192.168.x.0/24

LAN2: 172.25.88.0/24

remote_machine_ip: 172.25.87.30

LAN1 can ping to ASA5505 inside interface (172.25.88.1)

but cannot ping ordinateur_distant (172.25.87.30)

Inside of the interface ASA5505 can ping ordinateur_distant

LAN2 can ASA5510 ping inside the machines on LAN1 and interface

Is there something I missed?

Thanks much for the reply

I don't think it's something you really want to do.

If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.

So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1

But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.

If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.

http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858

Kind regards

ASA 5540 - cannot ping inside the interface

Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

In the ASDM, I see messages like this:

ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

interface Vlanx

IP x.x.x.x 255.255.255.0

IP broadcast directed to 199

IP accounting output-packets

IP pim sparse - dense mode

route IP cache flow

load-interval 30

Has anyone experiences the problem like this before? Thanks in advance for any help.

Can you post the output of the following on the ASA:-

display the route

And the output of your base layer diverter: -.

show ip route<>

HTH >

PIX515E: Cannot ping interfaces

Hi all

I ' v has just got a new PIX 515E, 6 interfaces, Version 6.3 (5).

I can't focus on any task with my PIX because the simplest operation is impossible: I cannot ping inside interface or PIX any host belonging to e same subnet. Interface is up and running, connected directly to a switch, icmp is to allow the inside...

Please, could someone of you give me a help?

Concerning

Alberto Brivio

Make sure the PIX is not a license to "failover". You will not be able to ping to this type of box until you activate failover.

cannot ping in dmz subnet from inside the subnet

Hey guys

can someone pls take a look at this config in my 515 and tell me why I can't ping from host 10.2.1.20 (connected inside interface) to host (connected to the dmx interface) 10.3.1.20...

Thanks ;)

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

stop 100full interface ethernet2

interface ethernet3 100full

stop 100full interface ethernet4

interface ethernet5 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

ethernet2 intf2 security2 nameif

nameif ethernet3 intf3 interieure4

nameif ethernet4 intf4 securite6

nameif dmz security50 ethernet5

enable password xxxx

passwd xxxx

hostname MYHOSTNAME

domain MYDOMAINNAME.local

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

inside_access_in ip access list allow a whole

pager lines 24

Outside 1500 MTU

Within 1500 MTU

intf2 MTU 1500

intf3 MTU 1500

intf4 MTU 1500

MTU 1500 dmz

IP address outside 61.29.xxx.xxx 255.255.255.248

IP address inside 10.2.1.11 255.255.255.0

No intf2 ip address

No intf3 ip address

No intf4 ip address

10.3.1.11 dmz IP address 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

no failover

failover timeout 0:00:00

failover poll 15

No IP failover outdoors

No IP failover inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address dmz

history of PDM activate

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

NAT (dmz) 10 10.3.1.0 255.255.255.0 0 0

static (inside, dmz) 10.2.1.0 10.2.1.0 netmask 255.255.255.0 0 0

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 61.29.xxx.xxx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 10.2.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

SNMP-Server enable traps

enable floodguard

Telnet timeout 5

SSH timeout 5

Console timeout 0

Terminal width 80

Thanks again

Rob

ICMP is not a stateful Protocol, so you must explicitly allow ICMP traffic on the DMZ interface. Try adding the following:

access-list dmz_access_in allow icmp a whole

Access-group dmz_access_in in dmz interface

I hope this helps.

Scott

Cisco 5505, inside, I cannot ping the external IP of the router, but inside I can ping anything else

Hello

5505 Cisco's internal IP: 10.10.0.1 static, securty level 100

External IP of Cisco 5505: 36.X.X.23 Dhcp, 0 security level

of within peut all host external example ping by host 10.10.0.3 to google.com

inside peut ping all domestic example of the host, host 10.10.0.3 to 10.10.0.5 included the internal IP of Cisco 10.10.0.1

inside peut ping ip network address different on the same network from my router external example the host 36.x.x.25

cannot ping inside the IP 36.X.X.23?

from outside peuvent ping the IP 36.X.X.23

outside peuvent ping different extenal network 36.X.X.X network ip

How can I ping the 36.X.X.23 of the Interior, any suggestions?

It's called background management which is not supported in the ASA

https://Tools.Cisco.com/bugsearch/bug/CSCtd86651

That's why is not and this will never work the ASA design does not

It will be useful.

interface maximum pix 525

Hi all

a question about the PIX-525-UR, the brochure said two 10/100 Fast Ethernet on board and the support of the Gigabit Ethernet, up to eight 10/100 FE or three interfaces Ethernet Gigabit.

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/hig63/525.htm

I understand that we got 3 PCI ports and 2 10/100 onboard, but research on the above page

i've got on the Options of unrestricted Interface

2 4 - port FE, which makes a total of 10 interface.

How can it be possible? It allows to disable two interface?

Then I saw on the forum that the 525 supports a GigE interface (but not at full speed) and that about 1 to 4 FE + 2 GE ports?

What limitation?

Thank you

Patrizio

Q. did you means 'You may 8 interfaces to the maximum on the 525 UR'? (10-total 2 off = 8)

A. that's correct. A 525 UR lights only 8 interfaces in the software. If you add two 4 ports, the last 2 ports on the 2nd map cards will be disabled.

Q. I wondering what kind of constraint on the interface, GigE, example not at full speed, what it means?

A. GigE interface on the PIX runs at full rate. What is meant when people say that a 525 is not a true firewall in concert, it's that the 525 has a flow of about 330 MB/s max, which is clearer than a concert. The 535 is a true firewall in concert because it has a flow of more than 1000 MB/s.

Two interfaces Gig is supported on the 525 and both support the full power of concert on the map. However, there will be delays in passing the packets to the CPU if the PIX is trying to pass more than 330 MB/s or more.

Make a little more sense?

Scott

Cannot ping sub interface from my remote site VPN gateways

I can't ping my gateways to interface my remote vpn connection sub

I can ping 192.6.1.0 network, but can't ping network 192.6.2.0 or 192.6.3.0

When I remote desktop in 192.6.1.20 I can ping all the networks, including gateways to interface sub.

I think that something in my asa is misconfigured or not added

ASA NAT rules:

Exempt NAT Interface: inside

Source 192.6.0.0/16

Destination 192.6.10.96/27

Static NAT interface: inside (it's for the local NAT of E0/0 out)

Source 192.6.1.1/16

Interface translated outside the Destination: 172.35.221.200

Dynamic NAT interface: inside

Source: no

Destination: outside

ASA access rules:

Permit outside

Source: no

Destination: out

Services: udp, tcp, tcp/http

Static routes:

Interface: Outside > network: all outdoors DSL (shows no DSL in the graph)

Some incorrect configuration:

On the ASA:

(1) directions are incorrect, the default should point to the next hop route, that is to say: the internet router: 172.35.221.x, as follows:

Route outside 0.0.0.0 0.0.0.0 172.35.221.x

---> where x must be the router internet ip address.

existing routes need to be removed:

No route outside 0.0.0.0 0.0.0.0 192.298.47.182 255

No route outside 0.0.0.0 0.0.0.0 172.35.209.81 in tunnel

(2) the following declaration of the static NAT is incorrect too and should be removed:

static (inside, outside) USSLTA01_External USSLTA01 netmask 255.255.255.255

--> You can not NAT interface on the SAA itself.

(3) for the SAA within the interface's subnet mask should be 255.255.255.0, no 255.255.0.0. It should be the same as the router interface subnet mask:

interface Ethernet0/1

nameif inside

security-level 100

IP 192.6.1.254 255.255.255.0

(4) on the way to access these sub interfaces subnet on the SAA as follows:

Route inside 192.6.2.0 255.255.255.0 192.6.1.235

Route inside 192.6.3.0 255.255.255.0 192.6.1.235

Route inside 192.6.4.0 255.255.255.0 192.6.1.235

On the router, configure it by default route as follows:

IP route 0.0.0.0 0.0.0.0 192.6.1.254

Cannot ping to Internet

Hello

I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX.

I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall.

Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping.

Here's my nat and global declarations:

# Sh nat Pix1

NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0

Pix1 # global HS

Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x

Global 1 6x.xxx.xxx.6x (outside)

Global interface (dmz) 1

Here's an abbreviated ICMP trace:

Pix1 debug icmp trace #.

ICMP trace on

WARNING: This can cause problems on busy networks

Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89

length 63 = 40

2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219

GTH = 40

4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475

GTH = 40

6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475

ngth = 40

8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731

GTH = 40

9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

Thanks in advance for your help.

Doug.

ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside!

See: Handling ICMP Pings with the PIX firewall

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute command

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

Access-group 101 in external interface

access-list 101 permit icmp any unreachable host YourPublicIP

access-list 101 permit icmp any host YourPublicIP time exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

Access-group 101 in external interface

access-list 101 permit icmp any unreachable host YourPublicIP

access-list 101 permit icmp any host YourPublicIP time exceeded

ICMP command example

ICMP deny everything outside

ICMP allow any response of echo outdoors

ICMP allow any response echo inside

permit ICMP echo host 192.168.1.30 inside

permit ICMP echo host 192.168.1.31 inside

permit ICMP echo host 192.168.1.20 inside

permit ICMP echo host 192.168.1.40 inside

permit ICMP echo host 192.168.1.100 inside

sincerely

Patrick

Q for PIX-525 spec (failover FE) and the GBIC

Qestion for PIX-525 spec.

1 PIX-525-UR-GE-BUN(2GE + 2FE). I want to use 2GE as inside and outside interface and failover FE. I found a doc who must use the GE model 535 failover. Is it supports statefull failover FE model 525?

2 PIX-1GE-66 map PIX 525, is the built in card GBIC interface, or do I module GBIC order (ex, WS-G5484) to put into the card?

Thank you

1. the restriction on the use of a dynamic rollover interface that corresponds to the fastest interface on the PIX is the PIX 535. The PIX 525 cannot switch the line traffic GE rate if this restriction is lifted on the 525 platform. You can use a link FE on a PIX 525 as the dynamic link even if you have GE links as other interfaces.

2. the GE on the PIX interface card contains a multimode SC connector. No GBIC not necessary... just of cables.

I hope this helps.

Scott

Allowing ICMP and Telnet via a PIX 525

We are trying to build a new block of distribution to our backbone WAN. We are experiencing a problem when establishing ICMP and Telnet via the PIX. The following is known:

1 Ping and telnet to the 6509 and internal network works very well for the PIX.

2 Ping the 7206 for the PIX works just fine.

3 debug normal to see activity track ICMP for connections ICMP for the PIX of the network 6509 and internal; However, the debug shows nothing - no activity - during attempts to ping at a.b.5.18. (see below).

In short, all connections seem to be fine between the three devices, however, we can get ICMP and Telnet work correctly through the PIX.

The layout is:

6509 (MSFC) - PIX 525-7206

IP:a.b.5.1 - a.b.5.2 a.b.5.17 - a.b.5.18

255.255.255.0 255.255.255.240 255.255.255.240

(both)

networks: a.b.5.0 a.b.5.16

255.255.255.240 255.255.255.240

6509:

interface VlanX

Description newwan-bb

IP address a.b.5.1 255.255.255.0

no ip redirection

router ospf

Log-adjacency-changes

redistribute static subnets metric 50 metric-type 1

passive-interface default

no passive-interface Vlan9

((other networks omitted))

network a.b.5.0 0.0.0.255 area 0

default information are created

PIX 525:

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 failover

hostname XXXXXX

domain XXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

access ip-list 102 permit a whole

access-list 102 permit icmp any one

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo response

access-list 102 permit icmp any any source-quench

access-list 102 permit everything all unreachable icmp

access-list 102 permit icmp any one time exceed

103 ip access list allow a whole

access-list 103 allow icmp a whole

access-list 103 permit icmp any any echo

access-list 103 permit icmp any any echo response

access-list 103 permit icmp any any source-quench

access-list 103 allow all unreachable icmp

access-list 103 allow icmp all once exceed

pager lines 24

opening of session

timestamp of the record

logging buffered stored notifications

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

Outside 1500 MTU

Within 1500 MTU

failover of MTU 1500

IP address outside a.b.5.17 255.255.255.240

IP address inside a.b.5.2 255.255.255.240

failover from IP 192.168.230.1 255.255.255.252

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Access-group 103 in external interface

Route outside 0.0.0.0 0.0.0.0 a.b.5.18 1

Route inside a.0.0.0 255.0.0.0 a.b.5.1 1

Inside a.b.0.0 255.240.0.0 route a.b.5.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

No sysopt route dnat

Telnet a.0.0.0 255.0.0.0 outdoors

Telnet a.0.0.0 255.0.0.0 inside

Telnet a.b.0.0 255.240.0.0 inside

Telnet a.b.5.18 255.255.255.255 inside

Telnet timeout 5

SSH timeout 5

Terminal width 80

Recognizing any help on proper routing through a PIX 525, given that all this is for a network internal.

on the 6509, why the int has a 24 subnet mask, when everything has a 28? If you try the 6500 ping.18, he thinks that it is on a local network, and there no need to route through the pix

Your access lists are confusing.

access-list # ip allowed any one should let through, and so everything that follows are redundant statements.

for the test,.

alloweverything ip access list allow a whole

Access-group alloweverything in interface outside

should the pix act as a router - you are effectively disabling all firewall features.

Cannot Ping PIX 525 inside interface

Similar Questions

Maybe you are looking for