?
Solved

Allow ICMP traffic (ping, tracert) through PIX 506E.

Posted on 2007-07-19
22
Medium Priority
?
13,534 Views
Last Modified: 2011-02-11
Given below is my running configuration. I cannot seem to allow ping and tracert through the PIX. I have tried the solutions provided here and elsewhere but my attempts to succeed have failed. Please note that the configuration show below does not show my attempts to allow ICMP traffic through - this is my pre-attempt configuration.

I would appreciate any and all assistance.

Thank you.

Result of firewall command: "show running-config"
 
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dHnK6Hq1Iy2bdnoJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name bs-ad.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 xxx.xxx.x.x 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 xxx.xx.xxx.x 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 xxx.xxx.x.x 255.255.255.0
access-list outside_cryptomap_dyn_20_2 permit ip 192.168.1.0 255.255.255.0 xxx.xxx.x.x 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 xxx.xx.xxx.x 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 xxx.xx.xxx.x 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.x.xxx 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool BSIP 192.168.x.x-192.168.x.xxx
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xxx.x.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address 101
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BSTech address-pool BSIP
vpngroup BSTech dns-server 192.168.x.xx 192.168.x.xx
vpngroup BSTech default-domain bs-ad.com
vpngroup BSTech split-tunnel outside_cryptomap_dyn_20_2
vpngroup BSTech idle-time 1800
vpngroup BSTech password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.x.x-192.168.x.xxx inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:b2b6a0d5bcc11018af3f602ac8c0f1e4
: end

0
Comment
Question by:RohanH
  • 10
  • 6
  • 5
  • +1
22 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 19525539
If you want to allow pings and traceroutes initiated from the inside network to be able to come back through the PIX, then add the following statements:

access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-group acl_out in interface outside

Return traffic from pings and traceroutes are blocked by default and this will allow them back through.  This DOES NOT allow ICMP traffic originating from the Internet to come inbound to your network...this would be a security risk if that were allowed.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19525617
Cisco Firewalls and PING

(Note: Tracert uses Ping technology and protocols and the firewall treats ping and tracert the same*)

PIX Version 6

With regards to Ping, out of the box, a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup clients can ping the inside interface,  and the firewalls outside interface can be pinged from outside.
OK  to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocol is not connection orientated what that means is (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it wont let ping traffic back in  this results in a failure on the client.

Allow Pinging of outside hosts

In light of the above the following will let ping traffic back in.

Access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-group outbound in interface inside

PIX Version 7 and above

Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. Its NOT turned on by default. And the command is inspect icmp but you need to enter the default map first, use the following commands from config terminal mode.

Policy-map global_policy
class inspection_default
inspect icmp

How to STOP interfaces responding to Ping packets

As already stated you can ping an interface on a Cisco firewall if you are directly connected to it, you can turn this OFF using the ICMP command, a lot of people like to disable pinging on the outside interface, in an effort to lessen the risk of a denial of service attack to this the syntax is as follows,

icmp deny any echo outside

*Note this does not apply to INBOUND tracerts these will NOT work without a (fixup protocol icmp) command. In version 7 tracert will not work unless the inspect icmp command has been issued
0
 

Author Comment

by:RohanH
ID: 19525624
batry_boy,

Thank you for your quick response. I cut and paste the commands you provided into the PDM CLI and verified that they had been added to my running configuration. I then attempted both a ping and a tracert to www.cnn.com. Both ping and tracert timeout. I would expect that the tracert would at least show the one hop to the PIX - right?

Is there anything else that you can think of to get this working?

Thank you.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 28

Expert Comment

by:batry_boy
ID: 19525653
That website doesn't respond to ping requests.  Try www.google.com instead as a test.
0
 

Author Comment

by:RohanH
ID: 19525696
batry_boy,

I tried www.google.com. It also does not respond. Neither does www.yahoo.com.

Anything you can think of?

Thank you.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 19525738
Please post the output of the following commands and I can take a look:

show access-list
show access-group

You can sanitize it first, if you wish...(no display of public IP addresses)
0
 

Author Comment

by:RohanH
ID: 19525744
PeteLong,

You suggested trying the following commands:

Access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-group outbound in interface inside

Here I am guessing that
access-group outbound in interface inside
should read
access-group inbound in interface inside

and if that is the case, then this appears to be the same as the solution suggested by batry_boy - unfortunately that solution is not working for me.

Can you think of anything else I can try?

Thank you.


0
 

Author Comment

by:RohanH
ID: 19525813
batry_boy,

Here are the results of the commands you sent me:

Result of firewall command: "show access-list"
 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 3 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.168.x.0 255.255.255.0 (hitcnt=207095)
access-list inside_outbound_nat0_acl line 2 permit ip 192.168.1.0 255.255.255.0 xxx.xx.xxx.0 255.255.255.0 (hitcnt=16680)
access-list inside_outbound_nat0_acl line 3 permit ip 192.168.1.0 255.255.255.0 host xxx.xxx.xxx.xxx (hitcnt=10)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.x.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_dyn_20_2; 1 elements
access-list outside_cryptomap_dyn_20_2 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.x.0 255.255.255.0 (hitcnt=3175)
access-list nonat; 1 elements
access-list nonat line 1 permit ip 192.168.1.0 255.255.255.0 xxx.xx.xxx.x 255.255.255.0 (hitcnt=0)
access-list vpn-client-split; 0 elements
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.1.0 255.255.255.0 xxx.xx.xxx.0 255.255.255.0 (hitcnt=17971)
access-list acl_out; 3 elements
access-list acl_out line 1 permit icmp any any echo-reply (hitcnt=0)
access-list acl_out line 2 permit icmp any any time-exceeded (hitcnt=0)
access-list acl_out line 3 permit icmp any any unreachable (hitcnt=0)

Result of firewall command: "show access-group"
 
access-group acl_out in interface outside

Thank you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19526569
What do you get from:
 C:\>nslookup www.yahoo.com
Does it resolve to an IP address?

From the PIX console (or PDM) can you ping 198.6.1.2 ?
0
 

Author Comment

by:RohanH
ID: 19526632
lrmoore,

Thank you for your reply.

nslookup gives me the following:

*** Can't find server name for address 192.168.1.10: Non-existent domain
*** Can't find server name for address 192.168.1.13: Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  192.168.1.10

Non-authoritative answer:
Name:    www.yahoo-ht3.akadns.net
Address:  69.147.114.210
Aliases:  www.yahoo.com

Ping from the PDM gives me:
      198.6.1.2 NO response received -- 1000ms
      198.6.1.2 NO response received -- 1000ms
      198.6.1.2 NO response received -- 1000ms

Thank you.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 19526657
Is 192.168.1.2 a valid internal IP address for a device that would respond to pings?  If not, you should probably try to ping another internal IP address, something you know will respond to pings.
0
 

Author Comment

by:RohanH
ID: 19526710
batry_boy,

I'm sorry ... I'm a little confused. If you are responding in response to lrmoore's ping suggestion - he said I should ping 198.6.1.2 ... should I be attempting to ping 192.168.1.2 instead?

I pinged an internal IP address, as you suggested, and got a response:

      192.168.1.10 response received -- 0ms
      192.168.1.10 response received -- 0ms
      192.168.1.10 response received -- 0ms
Thank you.

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 19526723
My bad...I'm dyslexic today...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19526742
Yes, 198.6.1.2 is a valid internet IP address for a uunet cache nameserver

C:\WINDOWS>nslookup 198.6.1.2
Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    cache01.ns.uu.net
Address:  198.6.1.2

Since you can't even ping it from the PIX itself, then you must have some other issues. It is pingable from anywhere in the world.

>route outside 0.0.0.0 0.0.0.0 xx.xxx.x.xxx
Can you even ping this gateway? Is it the correct gateway? Is it the upstream router IP and not your own IP?
Can you post result of "show interface outside" ?

0
 

Author Comment

by:RohanH
ID: 19526864
lrmoore,

I can ping the gateway from the PIX - response in 0ms. I cannot ping it from my machine - request times out.

This is not my IP - it belongs to an upstream router. It is the correct gateway.

Result of show interface:

Result of firewall command: "show interface"
 
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is xxxx.xxxx.xxxx
  IP address xx.xxx.x.xxx, subnet mask 255.255.255.248
  MTU 1500 bytes, BW 100000 Kbit half duplex
      258834747 packets input, 3929387656 bytes, 0 no buffer
      Received 24959 broadcasts, 35 runts, 0 giants
      1612 input errors, 806 CRC, 771 frame, 0 overrun, 806 ignored, 0 abort
      214513185 packets output, 1116571109 bytes, 0 underruns
      0 output errors, 198840 collisions, 0 interface resets
      0 babbles, 134 late collisions, 2049839 deferred
      0 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/28)
      output queue (curr/max blocks): hardware (0/40) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0019.554f.60cd
  IP address 192.168.1.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
      217371334 packets input, 2911839689 bytes, 0 no buffer
      Received 2706441 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      258631777 packets output, 182804056 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      input queue (curr/max blocks): hardware (128/128) software (0/40)
      output queue (curr/max blocks): hardware (3/66) software (0/1)

Thank you.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19527388
> 0 output errors, 198840 collisions, 0 interface resets
Looks like a duplex mismatch on the outside interface
What are you connecting to? Another router? Do you own the router? How exactly are  you connected to it? Through another switch, or a crossover cable, or..?

>I can ping the gateway from the PIX - response in 0ms. I cannot ping it from my machine
Can you post result of C:\>route print   from the PC?
0
 

Author Comment

by:RohanH
ID: 19531209
lrmoore,

My apologies for not replying sooner.

I should have been clearer in describing my physical setup ... we sit in leased office space - the outside interface of my PIX connects to the network provided by the leasing company. They have given us a public IP - which is bound to my outside interface.

Results of route print from the PC:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 b5 04 cc ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 18 de 8a a4 0e ...... Intel(R) PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
0x4 ...00 60 73 e2 d8 27 ...... SonicWALL VPN Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.4       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.4     192.168.1.4       10
      192.168.1.4  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.1.255  255.255.255.255      192.168.1.4     192.168.1.4       10
        224.0.0.0        240.0.0.0      192.168.1.4     192.168.1.4       10
  255.255.255.255  255.255.255.255      192.168.1.4               3       1
  255.255.255.255  255.255.255.255      192.168.1.4     192.168.1.4       1
  255.255.255.255  255.255.255.255      192.168.1.4               4       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

Thank you.



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19531391
Ahso...
Try this:
  sysopt noproxyarp outside

I would also still investigate the physical connectivity to the outside interface to get rid of those errors and collisions. It looks like a duplex mismatch. Additionally, check with the leasing company and see if they are blocking anything at their end.

>214513185 packets output, 1116571109 bytes, 0 underruns
With this many packets and this much traffic, something is working and passing lots of traffic. Even though you can't ping anything can you browse the web, get email, etc?
0
 

Author Comment

by:RohanH
ID: 19531466
lrmoore,

Sorry ... where do I try this command from and what does it do?

Yes, we are able to browse,  get e-mail and do everything else. I just cannot ping. I would expect tracert to at least show me the one hop to my PIX - but it does not even show that ...

Thank you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19532018
The sysopt is a global command:

 pix(config)#sysopt noproxyarp outside

This disables proxyarp on the outside interface. It can cause all kinds of headaches on a shared network like it appears that you have.

As long as everything else is working, your pix is configured just fine, so I would assume that either
1) the access-list is not "taking" on the interface. Suggest rebooting the PIX when time permits.
2) the upstream router is blocking ICMP. Very common in shared environments.

And no, the PIX does not announce itself as one of the hops. The first hop that I get is actually from the upstream router beyond my PIX.

0
 

Author Comment

by:RohanH
ID: 19532108
lrmoore,

Thank you for all your assistance.

Just so I understand this correctly ... disabling proxyarp on the outside interface is a good thing and something I would want to do?

If so, I will execute this command on the PIX and then attempt a reboot tonight to see if that makes a difference. If it does not, I will speak to the people we lease from to see if they will allow ICMP traffic through on their network as well.

Thank you.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19532185
>disabling proxyarp on the outside interface is a good thing and something I would want to do?
Not always, but helps in being a "good neighbor" and could help in your case.
It only works as long as you only have 1 public IP address. If you ever need a 2nd public IP for a specific static NAT, then you will have to disable it (no sysopt noproxyarp outside).
If you have multiple PIX's, for example, on the same inside LAN, perhaps one is dedicated to point-point VPN and one is dedicated to Internet use, you must disable proxyarp on the inside interface on both.
Proxyarp is difficult to explain, and does some strange things, especially with PIX.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 21 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question