testing Pix configuration inbound traffic

All once again I'm back, now i am trying to test my configuration, below is my pix config for your perusal. I can ping with all my inside host pcs outbound to the internet, what I can't do is ping from the outside to the inside. whats is the proper test to verify that end users can access my servers?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any echo-reply
access-list outside_in permit tcp any host 207.xxxxx.3 eq www
access-list outside_in permit tcp any host 207.xxxxx4 eq www
access-list outside_in permit tcp any host 207.xxxxx.5 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.xxxxxx.2 255.255.255.0
ip address inside 192.xxxxx1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.xxxxx.10 255.255.255.255 inside
pdm location 192.xxxxx.11 255.255.255.255 inside
pdm location 192.xxxxx.25 255.255.255.255 inside
pdm location 192.xxxxx254 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 207.xxxxx15-207.xxxxxx.253
global (outside) 1 207.xxxxxx.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.xxxxxxxx3 192.xxxxx.25 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.4 192.xxxxx.10 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.5 192.xxxxx.11 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.xxxxxx.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.xxxxxxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.xxxxxxx.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:0d5d38dea3a8eccbb53b947038f26596
: end
[OK]
ramosenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
>what I can't do is ping from the outside to the inside.
With your access-list permits and your static nat xlates, you should be able to ping those three IP's that have static statements, but no others, if you add another line to acl 100
   access-list 100 pemit icmp any any echo


>whats is the proper test to verify that end users can access my servers?
Have someone try it, then use 'show access-list' to see the hit counts on each acl line

They can't access them the way you have your acl. Apply access-list outside_in rather than acl 100:
   access-gropu outside_in in interface outside
0
ramosenAuthor Commented:
sorry lrmoore tried you fix but no help still ping from the outside in
0
lrmooreCommented:
Did you re-apply the access-list to the interface?

   access-group 100 in interface outside

You are trying this from a host that is actually outside the PIX, right? Not just trying to ping the public IP's from inside the LAN?
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

ramosenAuthor Commented:
I remove the access-list 100 and reapplied the access-list ouyside_in and also the access-group outside_in.

and had a friend try to ping me outside my netowrk from his home
0
lrmooreCommented:
Did you add the icmp to outside_in?

access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any echo
access-list outside_in permit tcp any host 207.xxxxx.3 eq www
access-list outside_in permit tcp any host 207.xxxxx4 eq www
access-list outside_in permit tcp any host 207.xxxxx.5 eq www
0
ramosenAuthor Commented:
Yes and still the same problem here is a relook at the config after changes;
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 207.xxxxxxxx.3 eq www
access-list outside_in permit tcp any host 207.xxxxxxxx.4 eq www
access-list outside_in permit tcp any host 207.xxxxxxxx.5 eq www
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.xxxxxxx.2 255.255.255.0
ip address inside 192.xxxxxxx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.xxxxxxx.10 255.255.255.255 inside
pdm location 192.xxxxxxx.11255.255.255.255 inside
pdm location 192.xxxxxxx.25 255.255.255.255 inside
pdm location 192.xxxxxxx.254 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 207.xxxxxx.15-207.xxxxxxxxx.253
global (outside) 1 207.xxxxxxx.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.xxxxx.3 192.xxxxxxxxx.25 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.4 192.xxxxxx.10 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.5 192.xxxxxx.11 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.xxxxxxx.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.xxxxxxxxx.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:667d3ed9fa2b64f11d141bdd7b912809
: end
[OK]
0
lrmooreCommented:
You still need to add this:
   access-list outside_in permit icmp any any echo
0
cnewgaardCommented:
You have access group 100 applied to the outside interface.  To allow both pings and access to the web sites (denoted by the access lists and static nats) you will need to take out the access-group 100 in interface outside and instead put in access-group outside_in in interface outside   That will allow you to do both of the things you are trying to accomplish.
0
lrmooreCommented:
good catch, cnewgaard..

Going by the askers previous post, I didn't even look to see which one was still being applied:
>>I remove the access-list 100 and reapplied the access-list ouyside_in and also the access-group outside_in.

Let me break this down for you, ramosen. You must do this - exactly - if you want it to work:
We have merged acl 100 which you defined just for icmp, with the acl "outside_in" which defines your inbound www traffic. I assume that you want both to work:

   access-list outside_in permit tcp any host 207.xxxxxxxx.3 eq www
   access-list outside_in permit tcp any host 207.xxxxxxxx.4 eq www
   access-list outside_in permit tcp any host 207.xxxxxxxx.5 eq www
   access-list outside_in permit icmp any any unreachable
   access-list outside_in permit icmp any any echo-reply
   access-list outside_in permit icmp any any time-exceeded
/-- plus, we have to permit "echo" else nobody on the outside can ping you which is what you are now saying does not work. It will never work until you add this line:
   access-list outside_in permit icmp any any echo

/-- now, remove all references to acl 100:
    no access-list 100
    no access-group 100 in interface outside

/-- now, re-apply the fully merged outside_in acl to the outside interface:
    access-group outside_in in interface outside.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ramosenAuthor Commented:
thanks lrmoore it's up and running
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.