[cisco PIX 515e] problem ping from inside to outside

[gondek]

Hi everybody,

I have to configure a cisco PIX 515e

There are three interfaces

-Outside
-Inside
-DMZ (not yet configured)

For the moment, I just want to be able to ping internet IP from the hosts of my Inside interface.

Here is my configuration!!! What is it missing???

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
.
.
fixup protocol tftp 69
names
access-list ping_acl permit icmp any any
pager lines 24
ip address outside xx.xxx.xx.2 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 192.168.1.0 xx.xxx.xx.0 netmask 255.255.255.224 0 0
access-group ping_acl in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xx.1 1




THANK YOU FOR YOUR HELP!!!

 

[folken]

shouldn't this line:
access-list ping_acl permit icmp any any

be:
access-list allow_ping permit icmp any any

Maybe it is different in the newer PIX os versions but I seem to recall it being allow_ping instead of ping_acl.

 

[pacman99]

You need to have an access-list on the outside interface that allows the ICMP replies to come back into your network:

You can use the same..

access-group ping_acl in interface outside

 

[keshav]

I see that you have not given global command.

This is needed for the inside traffic to be routed in internet.

add it and let me know how it goes.

 

[keshav]

global (outside) 1 interface

 

[Jojes]

Hi,

It is quite simple.

Steps are like this.

(1) Just create an access-list for permitting the IP to go outside.

(2) Next step is you need to enable ICMP echo-reply Inbound in your outside interface.

In your configuration, it would be :-

# access-list ping_acl permit ip any any
#access-group ping_acl in interface outside

It will work..

or if you want to enable ping for a single computer, you can replace the first command with

# access-list ping_acl permit ip 192.168.1.77 255.255.255.255 any

where 192.168.1.77 is the ip of the computer.


Also in your configuration

remove the line

# static (inside,outside) 192.168.1.0 xx.xxx.xx.0 netmask 255.255.255.224 0 0

and add

#global(outside) 1 interface

where all you internal hosts uses the outside interface address to access the external internet. This is the right way for that configuration.


Regards,

Jojes

 

[agarriz]

I HAVE A SIMILAR PROBLEM WITH THE PIX I want to do ping to an Internet address on the eth of dmz or inside but not with himself .To help me?

What is wrong??

PIXIT# sh conf
: Saved
: Written by enable_15 at 22:10:06.994 UTC Thu Jun 15 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password XXXXXXXXX encrypted
passwd XXXXXXXX encrypted
hostname PIXIT
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 0.0.0.0 lan
access-list inside_access_in permit ip interface inside interface dmz
access-list inside_access_in permit icmp interface inside interface dmz
access-list inside_access_in permit udp interface inside interface dmz
access-list inside_access_in permit tcp interface inside interface dmz
access-list dmz_access_in permit tcp interface dmz interface inside
access-list dmz_access_in permit udp interface dmz interface inside
access-list dmz_access_in permit icmp interface dmz interface inside
access-list dmz_access_in permit ip interface dmz interface inside
access-list ping_acl permit ip any any
access-list ping_acl permit icmp any any
access-list allow_ping permit icmp any any
pager lines 24
logging on
logging standby
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside IPINTERNET 255.255.255.224
ip address inside 10.4.1.4 255.255.0.0
ip address dmz 192.168.1.11 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.5.0.0 255.255.0.0 inside
pdm location 10.0.0.0 255.255.0.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz) 5 interface
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
access-group ping_acl in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
rip outside default version 1
rip inside default version 1
rip dmz default version 1
route outside lan lan 200.49.11.193 1
route inside 10.5.0.0 255.255.0.0 10.4.1.3 1
route inside 192.168.0.0 255.255.0.0 10.4.1.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.4.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.4.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 dmz
telnet timeout 5
ssh timeout 5
console timeout 0
username leon password XXXXXXX encrypted privilege 15
username polo password XXXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:4b08d8a59341c000a19b69cdc73e9fb8

 

[Jojes]

Simple..

In you access list " ping_acl" , just permit icmp echo-reply.

the command will be like this :-


access-list ping_acl permit icmp any any echo-reply

it shud work

Regards,

Jojes

 

[agarriz]

PIXTPS(config)# access-list ping_acl permit icmp any any echo-reply
PIXTPS(config)# write mem
Building configuration...
Cryptochecksum: bb3fd072 43a74908 55efe67c 19df1a77
[OK]
PIXTPS(config)# ping inside 192.168.1.5
192.168.1.5 NO response received -- 1000ms
192.168.1.5 NO response received -- 1000ms
192.168.1.5 NO response received -- 1000ms
PIXTPS(config)# ping inside 192.168.1.5
192.168.1.5 NO response received -- 1000ms
192.168.1.5 NO response received -- 1000ms
192.168.1.5 NO response received -- 1000ms
PIXTPS(config)#

(( don't work

 

[Jojes]

Oh.. you want to ping your local internal address only.

For this you need to enable Network Address Translation (NAT) for the respective address,, whether it is inside or DMZ interfaces mentioning different NAT ID.

 

[agarriz]

to say to me like doing it?

thanks

 

[Bujji]

You need to have an access-list on the outside interface that allows the ICMP replies to come back into your network:

You can use the same..

access-group ping_acl in interface outside

I have to configure a pix 515E. I know nuts about it can anyone help me out with the configuration commands and how to deny the access to internet or outside interfece for a range of ip address in the internal network

 

[zillah]

static (inside,outside) 192.168.1.0 xx.xxx.xx.0 netmask 255.255.255.224 0 0

Since the 192.168.1.0 is your internal ip address, the format of the static mapping like this :
static (inside,outside) xx.xxx.xx.0 192.168.1.0 netmask 255.255.255.224 0 0

 

[bukepards]

I'm studying...