Cannot Ping PIX 525 inside interface
Hi, I can not ping the interface e1 of a new 525 PIX running V6.35. I configured the address e1 and tried, but I can't ping the laptop connected directly to it, or vice versa... ACL has added to what icmp any an and the IP a whole and applied the e1 interface. Still can not ping... any idea why this is happening?... I'm suspect a hardware problem or cable, the cable must be crossver or directly through... I tired to connect to a switch also but same result... interface e1 is towards the top and to the top and show no problem... nor log shows no info as to why this happens... any suggestion is appreciated.
Thank you
GT
Hello
A single pix failover license does not work like a normal pix, so you can not 'test' with her before connecting. Once that connect you to your primary pix, that it will automatically update the IOS on the unit of failover and reproduce the config, so none of this is required of you before hand. I found this process much easier by using serial failover cable first, once the installation is finished and then in my case, I use the failover LAN based that later, I migrated to. Here's a couple of useful documents that you can review. Your version of the software may require the updated documentation.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/failover.htm#1076500
Tags: Cisco Security
Similar Questions
-
Cisco ezvpn ASAs cannot ping each other inside interfaces
I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA.
I found the following links that describes a scenario similar to mine, but nothing on one of them helped me.
http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-pingI joined sanitized versions of these two configs. Any help is appreciated.
Hi Adam
The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem.
Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'.
something like:
nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same. Cordially Véronique -
Cannot ping PIX 515e Interfaces
I know it's a very silly question for this forum, but I have already tried many things and cannot get the answer from the PIX firewall interfaces.
It's my (very easy) installation:
Using a FastEthernet port on router, I have a cable connected directly to the outside I / F of the PIX-515e. (Crossover cable works, I have already tested). Router <-->PIX directly connected.
I configured the PIX firewall to allow pings (I used different commands):
ICMP allow any response of echo outdoors
ICMP allow all outside
ICMP permitted
- echo outside response I tried to configure each of them and also combined.
Also tried to send the PIX to its default values. Supposed to be after that the PIX should allow all pings if no "icmp" command is configured.
I have configured the ports on both sides to 100 Full
On both sides of the link (PIX and router) I have the links to the top. The lights are on.
The 'show interest' on the PIX firewall shows to the top/top
The same thing on the router...
The two interfaces are configured in
10.1.1.0/24 (10.1.1.1 & 10.1.1.2)
What I am doing wrong?
This should be very easy...
Hello
Majority of the time interfaces refuses explicitly to ICMP packets unless you indicate otherwise. Here is a link to a pretty good setup guide... Have a look at the link to the ping Security Appliance Interfaces section in this guide. I'm really frustrated myself during the installation/testing phase because the pings are not working and it helped. Hope this helps a little and makes your life easier =) (rate if it please and thank you)
Thank you
Chris
-
Cannot ping ASA inside the interface via VPN
Hello
I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?
Thanks for your suggestions.
Remi
Hello
You must have the 'inside access management' command configured on the SAA.
If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem
-Jouni
-
Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2
I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.
I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.
I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================Here is a skeleton of the FWa configuration:
name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interfaceinterface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-objectoutside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outboundcard crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.=========================================================
FWb:
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-networkinterface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-objectinside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip hostoutside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outsidetunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.Ping Successul FWa inside the interface on FWb
FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWbFWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72===========================
Unsuccessful ping of FWa to inside2 on FWb interfaceFWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....==================================================================================
Unsuccessful ping of Fwa to a host of related UI inside2 on FWb
FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72=======================
Thank you
Hi odelaporte2,
Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.
This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.
It may be useful
-Randy-
-
Cannot ping computers on the subnet remote site vpn while to set up
Hi all
I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.
the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip
Here is my scenario:
LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant
LAN1: 192.168.x.0/24
LAN2: 172.25.88.0/24
remote_machine_ip: 172.25.87.30
LAN1 can ping to ASA5505 inside interface (172.25.88.1)
but cannot ping ordinateur_distant (172.25.87.30)
Inside of the interface ASA5505 can ping ordinateur_distant
LAN2 can ASA5510 ping inside the machines on LAN1 and interface
Is there something I missed?
Thanks much for the reply
I don't think it's something you really want to do.
If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.
So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1
But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.
If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.
http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858
Kind regards
-
ASA 5540 - cannot ping inside the interface
Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.
In the ASDM, I see messages like this:
ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.
This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.
interface Vlanx
IP x.x.x.x 255.255.255.0
IP broadcast directed to 199
IP accounting output-packets
IP pim sparse - dense mode
route IP cache flow
load-interval 30
Has anyone experiences the problem like this before? Thanks in advance for any help.
Can you post the output of the following on the ASA:-
display the route
And the output of your base layer diverter: -.
show ip route<>
HTH >
-
PIX515E: Cannot ping interfaces
Hi all
I ' v has just got a new PIX 515E, 6 interfaces, Version 6.3 (5).
I can't focus on any task with my PIX because the simplest operation is impossible: I cannot ping inside interface or PIX any host belonging to e same subnet. Interface is up and running, connected directly to a switch, icmp is to allow the inside...
Please, could someone of you give me a help?
Concerning
Alberto Brivio
Make sure the PIX is not a license to "failover". You will not be able to ping to this type of box until you activate failover.
-
cannot ping in dmz subnet from inside the subnet
Hey guys
can someone pls take a look at this config in my 515 and tell me why I can't ping from host 10.2.1.20 (connected inside interface) to host (connected to the dmx interface) 10.3.1.20...
Thanks ;)
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
stop 100full interface ethernet2
interface ethernet3 100full
stop 100full interface ethernet4
interface ethernet5 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
ethernet2 intf2 security2 nameif
nameif ethernet3 intf3 interieure4
nameif ethernet4 intf4 securite6
nameif dmz security50 ethernet5
enable password xxxx
passwd xxxx
hostname MYHOSTNAME
domain MYDOMAINNAME.local
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
inside_access_in ip access list allow a whole
pager lines 24
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
intf3 MTU 1500
intf4 MTU 1500
MTU 1500 dmz
IP address outside 61.29.xxx.xxx 255.255.255.248
IP address inside 10.2.1.11 255.255.255.0
No intf2 ip address
No intf3 ip address
No intf4 ip address
10.3.1.11 dmz IP address 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address dmz
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 10 10.3.1.0 255.255.255.0 0 0
static (inside, dmz) 10.2.1.0 10.2.1.0 netmask 255.255.255.0 0 0
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 61.29.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 10.2.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
SNMP-Server enable traps
enable floodguard
Telnet timeout 5
SSH timeout 5
Console timeout 0
Terminal width 80
Thanks again
Rob
ICMP is not a stateful Protocol, so you must explicitly allow ICMP traffic on the DMZ interface. Try adding the following:
access-list dmz_access_in allow icmp a whole
Access-group dmz_access_in in dmz interface
I hope this helps.
Scott
-
Hello
5505 Cisco's internal IP: 10.10.0.1 static, securty level 100
External IP of Cisco 5505: 36.X.X.23 Dhcp, 0 security level
of within peut all host external example ping by host 10.10.0.3 to google.com
inside peut ping all domestic example of the host, host 10.10.0.3 to 10.10.0.5 included the internal IP of Cisco 10.10.0.1
inside peut ping ip network address different on the same network from my router external example the host 36.x.x.25
cannot ping inside the IP 36.X.X.23?
from outside peuvent ping the IP 36.X.X.23
outside peuvent ping different extenal network 36.X.X.X network ip
How can I ping the 36.X.X.23 of the Interior, any suggestions?It's called background management which is not supported in the ASA
https://Tools.Cisco.com/bugsearch/bug/CSCtd86651
That's why is not and this will never work the ASA design does not
It will be useful.
-
Hi all
a question about the PIX-525-UR, the brochure said two 10/100 Fast Ethernet on board and the support of the Gigabit Ethernet, up to eight 10/100 FE or three interfaces Ethernet Gigabit.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/hig63/525.htm
I understand that we got 3 PCI ports and 2 10/100 onboard, but research on the above page
i've got on the Options of unrestricted Interface
2 4 - port FE, which makes a total of 10 interface.
How can it be possible? It allows to disable two interface?
Then I saw on the forum that the 525 supports a GigE interface (but not at full speed) and that about 1 to 4 FE + 2 GE ports?
What limitation?
Thank you
Patrizio
Q. did you means 'You may 8 interfaces to the maximum on the 525 UR'? (10-total 2 off = 8)
A. that's correct. A 525 UR lights only 8 interfaces in the software. If you add two 4 ports, the last 2 ports on the 2nd map cards will be disabled.
Q. I wondering what kind of constraint on the interface, GigE, example not at full speed, what it means?
A. GigE interface on the PIX runs at full rate. What is meant when people say that a 525 is not a true firewall in concert, it's that the 525 has a flow of about 330 MB/s max, which is clearer than a concert. The 535 is a true firewall in concert because it has a flow of more than 1000 MB/s.
Two interfaces Gig is supported on the 525 and both support the full power of concert on the map. However, there will be delays in passing the packets to the CPU if the PIX is trying to pass more than 330 MB/s or more.
Make a little more sense?
Scott
-
Cannot ping sub interface from my remote site VPN gateways
I can't ping my gateways to interface my remote vpn connection sub
I can ping 192.6.1.0 network, but can't ping network 192.6.2.0 or 192.6.3.0
When I remote desktop in 192.6.1.20 I can ping all the networks, including gateways to interface sub.
I think that something in my asa is misconfigured or not added
ASA NAT rules:
Exempt NAT Interface: inside
Source 192.6.0.0/16
Destination 192.6.10.96/27
Static NAT interface: inside (it's for the local NAT of E0/0 out)
Source 192.6.1.1/16
Interface translated outside the Destination: 172.35.221.200
Dynamic NAT interface: inside
Source: no
Destination: outside
ASA access rules:
Permit outside
Source: no
Destination: out
Services: udp, tcp, tcp/http
Static routes:
Interface: Outside > network: all outdoors DSL (shows no DSL in the graph)
Some incorrect configuration:
On the ASA:
(1) directions are incorrect, the default should point to the next hop route, that is to say: the internet router: 172.35.221.x, as follows:
Route outside 0.0.0.0 0.0.0.0 172.35.221.x
---> where x must be the router internet ip address.
existing routes need to be removed:
No route outside 0.0.0.0 0.0.0.0 192.298.47.182 255
No route outside 0.0.0.0 0.0.0.0 172.35.209.81 in tunnel
(2) the following declaration of the static NAT is incorrect too and should be removed:
static (inside, outside) USSLTA01_External USSLTA01 netmask 255.255.255.255
--> You can not NAT interface on the SAA itself.
(3) for the SAA within the interface's subnet mask should be 255.255.255.0, no 255.255.0.0. It should be the same as the router interface subnet mask:
interface Ethernet0/1
nameif inside
security-level 100
IP 192.6.1.254 255.255.255.0
(4) on the way to access these sub interfaces subnet on the SAA as follows:
Route inside 192.6.2.0 255.255.255.0 192.6.1.235
Route inside 192.6.3.0 255.255.255.0 192.6.1.235
Route inside 192.6.4.0 255.255.255.0 192.6.1.235
On the router, configure it by default route as follows:
IP route 0.0.0.0 0.0.0.0 192.6.1.254
-
Hello
I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX.
I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall.
Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping.
Here's my nat and global declarations:
# Sh nat Pix1
NAT (inside) 1 10.0.0.0 255.0.0.0 0 0
NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0
Pix1 # global HS
Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x
Global 1 6x.xxx.xxx.6x (outside)
Global interface (dmz) 1
Here's an abbreviated ICMP trace:
Pix1 debug icmp trace #.
ICMP trace on
WARNING: This can cause problems on busy networks
Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89
length 63 = 40
2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219
GTH = 40
4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475
GTH = 40
6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475
ngth = 40
8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731
GTH = 40
9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
Thanks in advance for your help.
Doug.
ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside!
See: Handling ICMP Pings with the PIX firewall
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The PIX and the traceroute command
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
examples:
Traveroute
Microsoft:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
access-list 101 permit icmp any host YourPublicIP echo-reply
UNIX:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
ICMP command example
ICMP deny everything outside
ICMP allow any response of echo outdoors
ICMP allow any response echo inside
permit ICMP echo host 192.168.1.30 inside
permit ICMP echo host 192.168.1.31 inside
permit ICMP echo host 192.168.1.20 inside
permit ICMP echo host 192.168.1.40 inside
permit ICMP echo host 192.168.1.100 inside
sincerely
Patrick
-
Q for PIX-525 spec (failover FE) and the GBIC
Qestion for PIX-525 spec.
1 PIX-525-UR-GE-BUN(2GE + 2FE). I want to use 2GE as inside and outside interface and failover FE. I found a doc who must use the GE model 535 failover. Is it supports statefull failover FE model 525?
2 PIX-1GE-66 map PIX 525, is the built in card GBIC interface, or do I module GBIC order (ex, WS-G5484) to put into the card?
Thank you
1. the restriction on the use of a dynamic rollover interface that corresponds to the fastest interface on the PIX is the PIX 535. The PIX 525 cannot switch the line traffic GE rate if this restriction is lifted on the 525 platform. You can use a link FE on a PIX 525 as the dynamic link even if you have GE links as other interfaces.
2. the GE on the PIX interface card contains a multimode SC connector. No GBIC not necessary... just of cables.
I hope this helps.
Scott
-
Allowing ICMP and Telnet via a PIX 525
We are trying to build a new block of distribution to our backbone WAN. We are experiencing a problem when establishing ICMP and Telnet via the PIX. The following is known:
1 Ping and telnet to the 6509 and internal network works very well for the PIX.
2 Ping the 7206 for the PIX works just fine.
3 debug normal to see activity track ICMP for connections ICMP for the PIX of the network 6509 and internal; However, the debug shows nothing - no activity - during attempts to ping at a.b.5.18. (see below).
In short, all connections seem to be fine between the three devices, however, we can get ICMP and Telnet work correctly through the PIX.
The layout is:
6509 (MSFC) - PIX 525-7206
IP:a.b.5.1 - a.b.5.2 a.b.5.17 - a.b.5.18
255.255.255.0 255.255.255.240 255.255.255.240
(both)
networks: a.b.5.0 a.b.5.16
255.255.255.240 255.255.255.240
6509:
interface VlanX
Description newwan-bb
IP address a.b.5.1 255.255.255.0
no ip redirection
router ospf
Log-adjacency-changes
redistribute static subnets metric 50 metric-type 1
passive-interface default
no passive-interface Vlan9
((other networks omitted))
network a.b.5.0 0.0.0.255 area 0
default information are created
PIX 525:
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 failover
hostname XXXXXX
domain XXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
access ip-list 102 permit a whole
access-list 102 permit icmp any one
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo response
access-list 102 permit icmp any any source-quench
access-list 102 permit everything all unreachable icmp
access-list 102 permit icmp any one time exceed
103 ip access list allow a whole
access-list 103 allow icmp a whole
access-list 103 permit icmp any any echo
access-list 103 permit icmp any any echo response
access-list 103 permit icmp any any source-quench
access-list 103 allow all unreachable icmp
access-list 103 allow icmp all once exceed
pager lines 24
opening of session
timestamp of the record
logging buffered stored notifications
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
Outside 1500 MTU
Within 1500 MTU
failover of MTU 1500
IP address outside a.b.5.17 255.255.255.240
IP address inside a.b.5.2 255.255.255.240
failover from IP 192.168.230.1 255.255.255.252
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group 103 in external interface
Route outside 0.0.0.0 0.0.0.0 a.b.5.18 1
Route inside a.0.0.0 255.0.0.0 a.b.5.1 1
Inside a.b.0.0 255.240.0.0 route a.b.5.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
Telnet a.0.0.0 255.0.0.0 outdoors
Telnet a.0.0.0 255.0.0.0 inside
Telnet a.b.0.0 255.240.0.0 inside
Telnet a.b.5.18 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Terminal width 80
Recognizing any help on proper routing through a PIX 525, given that all this is for a network internal.
on the 6509, why the int has a 24 subnet mask, when everything has a 28? If you try the 6500 ping.18, he thinks that it is on a local network, and there no need to route through the pix
Your access lists are confusing.
access-list # ip allowed any one should let through, and so everything that follows are redundant statements.
for the test,.
alloweverything ip access list allow a whole
Access-group alloweverything in interface outside
should the pix act as a router - you are effectively disabling all firewall features.
Maybe you are looking for
-
Can I import my favorites since acer computer sspire portable samsung S3
Favorites of acer aspire to samsung s3 is possible?
-
Active during songs with Beats Audio volume swings?
I recently took a 15-3033CL Envy. While the audio sounds very good, I'm running a problem with wild volume swings in my music. At first I thought it was my headset on the ear, so some earphones that I tried. The problem seems less pronounced, but
-
Satellite L850-18 t freezes internet browsing + connected over WLan
Hello A few days ago I installed a wireless router at home, and since then I had problems with my computer laptop freeze always when you browse the internet. I could do nothing but just press on and hold the power button to manually stop the laptop.
-
Symantec reports its status in a format Windows is no longer supported. Why?
Symantec reports its status in a format Windows is no longer supported. This used to work properly. This caused a Vista upgrade?
-
any connection, for example?
any connection, for example? I need of connection example and if it is possible with the facebook connect option. Thank you