Link to home
Start Free TrialLog in
Avatar of rreddell

asked on

Can not access a public IP from inside our Firewall (Pix 506e)

We have a remote time clock that has a public IP address. I can ping the IP address when I am inside the firewall using the ping cmd.. (Pix 506e)  but I can not ping/access the IP from inside the network.  

I can access everything else just not this block off IPs..

Since I can ping the IP from the firewall..  It seems like the firewall is blocking it for some reason..

Thanks for your help
Avatar of rsivanandan
Flag of India image

From where are you not able to ping ? Both statements above say that you cannot ping from inside.

Is this IP static natted on the PIX ?

Avatar of rreddell


When I am on the server inside the the network it will not work...  When I log into the Pix.. it works..    

I still don't follow you, so is this your network;

Time Stuff----------PIX----------Server

Where are the inside interface and outside interface, can you  modify the above diagram ?

We have a time clock that is off site..  its public IP is

At the office...  our internal network is

When I am using a computer that is located on the internal network.. for example it will not ping nor will it connect to the time clock...

When I log onto our Pix Firewall...   from the ping command inside the pix box I am able to ping the  

When I'm at home I can ping and connect just fine also.
Okay, so you want to allow ICMP to it ? or NTP service itself ? You need to put in those for your access-list applied on the inside interface.

Post your sanitized pix configuration and I will show you to add the acl.

I just want to be able to access it..  We have another time clock with a public IP of and it works fine!  

I can also ping everything else..   web sites etc.

Why would it just be the ip?
thanks for your quick responses  btw...
Can you post your router configuration? perhaps there is something in it which is stopping it from happening..
You are probably not able to access it because of the reason;

1. There is an access-list applied on the pix firewall's inside interface;

2. This access-list do not allow traffic to ip .

To find out, you need to post the pix config, if you prefer not to; then you could add the entries to that it allows to connect.

I was the one that installed the PIX.. (granted I dont know much about them)..  but it was new and I never put that kind of access-list in...

Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****
passwd *****
hostname tgc-pix1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name Yahoo
access-list outside_access_in permit tcp any host
access-list outside_access_in permit tcp any host
access-list outside_access_in permit tcp any host
access-list outside_access_in permit icmp any host echo
access-list outside_access_in permit icmp any host echo
access-list outside_access_in permit icmp any host echo
access-list outside_access_in permit tcp any host
access-list outside_access_in permit icmp any host echo
access-list outside_access_in permit tcp any host
access-list outside_access_in permit icmp any host echo
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location Yahoo outside
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
access-group outside_access_in in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end

Avatar of skaap2k

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When I'm inside the pix itself I can ping the time clock.   So I couldn't see that being a reason?

When I do a tracert from the internal network... it times out at the first hop...  doesnt even get a chance to get past the PIX....


The reason that you're able to ping it from pix and your home proves that there nothing blocking on the other end.

On the machine from where you are trying to ping, what is the default gateway ? Is it for sure (Pix inside address).

If yes, how does the tracert look? I mean, does it get to the firewall at least ? Can you post the output of tracert?

This is from the internal network...    Again.. I'm not a real deep network guy..  but I just can not see what could this be...     The gateway is

Tracing route to []
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
Thatz really weird. I tried pinging but it didn't so obviously it is being blocked somewhere but that isn't the problem. When you trace route, you should be atleast able to see the gateway ip address first.

Did you try from another machine ? Which would eliminate the tcp/ip stack problem with the office machine?

Just a thought, but need to confirm first with you.

Can you do the ping/tracert from a machine which is *NOT* the following ip;  

Tried it from a regular workstation...  same results.. ping and tracert...  

Try to ping it now..  Early this morning our Data provider had issues...

One thing I will try this evening is to eliminate everything else and just plug my laptop into the pix and try to ping it then....
I'm able to ping now though I'm having couple of timeout issues as well. But yeah, it would be good to try.

Sorry for the delay... been out of the office...

OK..  Was able to try and just go from my laptop.. into the firewall..  bypassing everything else...


So it seems like the firewall is blocking the IP some how?

Could I make a rule that routes everything internally for that IP  to the outside?
hmmm. actually no need, there is nothing on the firewall that blocks it. I just tried to ping it again from my machine and it doesn't. So is there something that keeps changing on the site where this server is present?

Been a long time since I started this...  but hey..  better then never right!?

There is nothing that changes on the site...   I'm able to ping it from my home right now and from inside the router... but still not from inside the network...  

I've also put in a whole new domain.. but even with the new servers... no dice...

but playing around a little...  I found another IP that will not allow me to ping it...  and this site has the same setup as the 209.113 site...   but it allows me to ping it from inside the cisco router...   its IP is

What I mean by the same setup.. they have integrated T1s...  voice and data on the same T...  Might give the Telcom a call....  

Sorry for the absence on this...  

no issues, let me know what happens from telecom end.

Called ONECom...  they also said it has to be the router...  being I'm able to ping everything from inside the router.....  

I'm at a lost here...   only thing I know to do now... is to take everything else off the network... and just plug a laptop into the switch with the PIX...   maybe something is screwing with it on the network??  
When you get time, try that just directly a laptop on the pix and see. It is weird.

The replaced the router...  everything is working now...

Thanks for all your help and quick responses...  you helped be elimated what it could be down to what it was...

Again.. thanks!