Cannot Ping from Outside to PIX inside host

Posted on 2006-04-07
Last Modified: 2013-11-16
I have a PIX 501.... outside interface is connected to a Cisco 2600 Series Router.... Problem is that I can ping from the inside host to the 2600 router but cannot from the router to the inside host.
Here is my configuration:

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname austinpix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

fixup protocol tftp 69
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
access-group 100 in interface outside
route outside 1

imeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 60
ssh timeout 5
console timeout 0

Question by:d00103732
    LVL 25

    Accepted Solution

    I take it you're trying to ping which is (which is a public IP btw; is it a typo)
    you are not allowing echo-requests thru the outside interface
    access-list 100 permit icmp any any echo-request

    and it should work
    LVL 25

    Expert Comment

    of course you should be more specific with incoming echo requests so it should be this actually
    access-list 100 permit icmp any echo-request
    LVL 20

    Assisted Solution

    Cyclops3590 is right: 172.168.x.x falls within the public IP space. Is this a typo or is that what your inside LAN is?  If you intended to use private IPs on the inside (would make sense since you're NAT'ing the 172.168.1.x subnet to the outside), you'll instead want to use IPs somewhere in this range: 172.16.x.x - 172.31.x.x

    Actually what you'll want for the ACL is:
       access-list 100 permit icmp any host echo
    And re-apply the ACL to ensure the change takes effect:
       access-group 100 in interface outside

    Also, make sure your 2600 isn't blocking inbound pings to this IP if you want to ping this server globally.

    LVL 25

    Expert Comment

    really?  I've never re-applied an ACL after making changes and they always seem to take effect immediately.
    also, calvinetter, thanks for correcting me on the echo part
    LVL 20

    Expert Comment

    hi there Cyclops3590!  Yeah, usually modifying an ACL is ok, but I've found that re-applying an ACL is the sure way to have it take effect & a good habit to be in (especially when dealing with older buggy PIX versions).  No problem... there's a whole *lot* of syntax to try & keep straight - routers, PIXes, switches, etc... often I'll either login to my own boxes or jump on Cisco's website for specifics.  ;)


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now