[cisco PIX 515e] problem ping from inside to outside

Hi everybody,

I have to configure a cisco PIX 515e

There are three interfaces

-Outside
-Inside
-DMZ (not yet configured)

For the moment, I just want to be able to ping internet IP from the hosts of my Inside interface.

Here is my configuration!!! What is it missing???

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
.
.
fixup protocol tftp 69
names
access-list ping_acl permit icmp any any
pager lines 24
ip address outside xx.xxx.xx.2 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 192.168.1.0 xx.xxx.xx.0 netmask 255.255.255.224 0 0
access-group ping_acl in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xx.1 1


THANK YOU FOR YOUR HELP!!!
13 answers Last reply
More about cisco 515e problem ping inside outside
  1. shouldn't this line:
    access-list ping_acl permit icmp any any

    be:
    access-list allow_ping permit icmp any any

    Maybe it is different in the newer PIX os versions but I seem to recall it being allow_ping instead of ping_acl.
  2. You need to have an access-list on the outside interface that allows the ICMP replies to come back into your network:

    You can use the same..

    access-group ping_acl in interface outside
  3. I see that you have not given global command.

    This is needed for the inside traffic to be routed in internet.

    add it and let me know how it goes.
  4. global (outside) 1 interface
  5. Hi,

    It is quite simple.

    Steps are like this.

    (1) Just create an access-list for permitting the IP to go outside.

    (2) Next step is you need to enable ICMP echo-reply Inbound in your outside interface.

    In your configuration, it would be :-

    # access-list ping_acl permit ip any any
    #access-group ping_acl in interface outside

    It will work..

    or if you want to enable ping for a single computer, you can replace the first command with

    # access-list ping_acl permit ip 192.168.1.77 255.255.255.255 any

    where 192.168.1.77 is the ip of the computer.


    Also in your configuration

    remove the line

    # static (inside,outside) 192.168.1.0 xx.xxx.xx.0 netmask 255.255.255.224 0 0

    and add

    #global(outside) 1 interface

    where all you internal hosts uses the outside interface address to access the external internet. This is the right way for that configuration.


    Regards,

    Jojes
  6. I HAVE A SIMILAR PROBLEM WITH THE PIX I want to do ping to an Internet address on the eth of dmz or inside but not with himself .To help me?

    What is wrong??

    PIXIT# sh conf
    : Saved
    : Written by enable_15 at 22:10:06.994 UTC Thu Jun 15 2006
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security4
    enable password XXXXXXXXX encrypted
    passwd XXXXXXXX encrypted
    hostname PIXIT
    domain-name mydomain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 0.0.0.0 lan
    access-list inside_access_in permit ip interface inside interface dmz
    access-list inside_access_in permit icmp interface inside interface dmz
    access-list inside_access_in permit udp interface inside interface dmz
    access-list inside_access_in permit tcp interface inside interface dmz
    access-list dmz_access_in permit tcp interface dmz interface inside
    access-list dmz_access_in permit udp interface dmz interface inside
    access-list dmz_access_in permit icmp interface dmz interface inside
    access-list dmz_access_in permit ip interface dmz interface inside
    access-list ping_acl permit ip any any
    access-list ping_acl permit icmp any any
    access-list allow_ping permit icmp any any
    pager lines 24
    logging on
    logging standby
    icmp permit any outside
    icmp permit any inside
    icmp permit any dmz
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside IPINTERNET 255.255.255.224
    ip address inside 10.4.1.4 255.255.0.0
    ip address dmz 192.168.1.11 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.5.0.0 255.255.0.0 inside
    pdm location 10.0.0.0 255.255.0.0 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    global (dmz) 5 interface
    static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
    static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
    access-group ping_acl in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_in in interface dmz
    rip outside default version 1
    rip inside default version 1
    rip dmz default version 1
    route outside lan lan 200.49.11.193 1
    route inside 10.5.0.0 255.255.0.0 10.4.1.3 1
    route inside 192.168.0.0 255.255.0.0 10.4.1.4 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 10.4.0.0 255.255.0.0 inside
    http 192.168.1.0 255.255.255.0 dmz
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 10.4.0.0 255.255.0.0 inside
    telnet 192.168.1.0 255.255.255.0 dmz
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    username leon password XXXXXXX encrypted privilege 15
    username polo password XXXXXXXXX encrypted privilege 15
    terminal width 80
    Cryptochecksum:4b08d8a59341c000a19b69cdc73e9fb8
  7. Simple..

    In you access list " ping_acl" , just permit icmp echo-reply.

    the command will be like this :-


    access-list ping_acl permit icmp any any echo-reply

    it shud work

    Regards,

    Jojes
  8. PIXTPS(config)# access-list ping_acl permit icmp any any echo-reply
    PIXTPS(config)# write mem
    Building configuration...
    Cryptochecksum: bb3fd072 43a74908 55efe67c 19df1a77
    [OK]
    PIXTPS(config)# ping inside 192.168.1.5
    192.168.1.5 NO response received -- 1000ms
    192.168.1.5 NO response received -- 1000ms
    192.168.1.5 NO response received -- 1000ms
    PIXTPS(config)# ping inside 192.168.1.5
    192.168.1.5 NO response received -- 1000ms
    192.168.1.5 NO response received -- 1000ms
    192.168.1.5 NO response received -- 1000ms
    PIXTPS(config)#

    :((( don't work
  9. Oh.. you want to ping your local internal address only.

    For this you need to enable Network Address Translation (NAT) for the respective address,, whether it is inside or DMZ interfaces mentioning different NAT ID.
  10. to say to me like doing it?

    thanks
  11. Quote:
    You need to have an access-list on the outside interface that allows the ICMP replies to come back into your network:

    You can use the same..

    access-group ping_acl in interface outside


    I have to configure a pix 515E. I know nuts about it can anyone help me out with the configuration commands and how to deny the access to internet or outside interfece for a range of ip address in the internal network
  12. Quote:

    static (inside,outside) 192.168.1.0 xx.xxx.xx.0 netmask 255.255.255.224 0 0

    Since the 192.168.1.0 is your internal ip address, the format of the static mapping like this :
    static (inside,outside) xx.xxx.xx.0 192.168.1.0 netmask 255.255.255.224 0 0
  13. I'm studying...
Ask a new question

Read More

Firewalls Configuration Cisco Networking