Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cannot Ping from Outside to PIX inside host

Posted on 2006-04-07
Medium Priority
Last Modified: 2013-11-16
I have a PIX 501.... outside interface is connected to a Cisco 2600 Series Router.... Problem is that I can ping from the inside host to the 2600 router but cannot from the router to the inside host.
Here is my configuration:

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname austinpix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

fixup protocol tftp 69
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
access-group 100 in interface outside
route outside 1

imeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 60
ssh timeout 5
console timeout 0

Question by:d00103732
  • 3
  • 2
LVL 25

Accepted Solution

Cyclops3590 earned 500 total points
ID: 16404503
I take it you're trying to ping which is (which is a public IP btw; is it a typo)
you are not allowing echo-requests thru the outside interface
access-list 100 permit icmp any any echo-request

and it should work
LVL 25

Expert Comment

ID: 16404507
of course you should be more specific with incoming echo requests so it should be this actually
access-list 100 permit icmp any echo-request
LVL 20

Assisted Solution

calvinetter earned 500 total points
ID: 16405809
Cyclops3590 is right: 172.168.x.x falls within the public IP space. Is this a typo or is that what your inside LAN is?  If you intended to use private IPs on the inside (would make sense since you're NAT'ing the 172.168.1.x subnet to the outside), you'll instead want to use IPs somewhere in this range: 172.16.x.x - 172.31.x.x

Actually what you'll want for the ACL is:
   access-list 100 permit icmp any host echo
And re-apply the ACL to ensure the change takes effect:
   access-group 100 in interface outside

Also, make sure your 2600 isn't blocking inbound pings to this IP if you want to ping this server globally.

LVL 25

Expert Comment

ID: 16407494
really?  I've never re-applied an ACL after making changes and they always seem to take effect immediately.
also, calvinetter, thanks for correcting me on the echo part
LVL 20

Expert Comment

ID: 16407530
hi there Cyclops3590!  Yeah, usually modifying an ACL is ok, but I've found that re-applying an ACL is the sure way to have it take effect & a good habit to be in (especially when dealing with older buggy PIX versions).  No problem... there's a whole *lot* of syntax to try & keep straight - routers, PIXes, switches, etc... often I'll either login to my own boxes or jump on Cisco's website for specifics.  ;)


Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 1 hour left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question