Cannot Ping from Outside to PIX inside host

I have a PIX 501.... outside interface is connected to a Cisco 2600 Series Router.... Problem is that I can ping from the inside host to the 2600 router but cannot from the router to the inside host.
Here is my configuration:

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname austinpix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 204.69.198.3 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 204.69.198.2 255.255.255.0
ip address inside 172.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 204.69.198.10-204.69.198.20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 204.69.198.3 172.168.1.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 204.69.198.1 1

imeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0

d00103732Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
I take it you're trying to ping 204.69.198.3 which is 172.168.1.2 (which is a public IP btw; is it a typo)
you are not allowing echo-requests thru the outside interface
add
access-list 100 permit icmp any any echo-request

and it should work
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cyclops3590Commented:
of course you should be more specific with incoming echo requests so it should be this actually
access-list 100 permit icmp any 204.69.198.3 echo-request
0
calvinetterCommented:
Cyclops3590 is right: 172.168.x.x falls within the public IP space. Is this a typo or is that what your inside LAN is?  If you intended to use private IPs on the inside (would make sense since you're NAT'ing the 172.168.1.x subnet to the outside), you'll instead want to use IPs somewhere in this range: 172.16.x.x - 172.31.x.x

Actually what you'll want for the ACL is:
   access-list 100 permit icmp any host 204.69.198.3 echo
And re-apply the ACL to ensure the change takes effect:
   access-group 100 in interface outside

Also, make sure your 2600 isn't blocking inbound pings to this IP if you want to ping this server globally.

cheers
0
Cyclops3590Commented:
really?  I've never re-applied an ACL after making changes and they always seem to take effect immediately.
also, calvinetter, thanks for correcting me on the echo part
0
calvinetterCommented:
hi there Cyclops3590!  Yeah, usually modifying an ACL is ok, but I've found that re-applying an ACL is the sure way to have it take effect & a good habit to be in (especially when dealing with older buggy PIX versions).  No problem... there's a whole *lot* of syntax to try & keep straight - routers, PIXes, switches, etc... often I'll either login to my own boxes or jump on Cisco's website for specifics.  ;)

cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.