I am Unable to ping through my firewall. Why?

I am able to access the internet through my PIX 515E firewall but I am unable to ping  anything outside eg. google.com????? I need to run a tacert route but cannot ping out ???? Why?????  I don't see any ICMP resrictions on the PIX???
colmbowlerAsked:
Who is Participating?
 
grbladesConnect With a Mentor Commented:
No that should be all you need. The PIX monitors the outbound traffic and automatically permits back the replies.
You only need to allow other stuff in if you want to forward connections to machines on the inside such as a mail server.
0
 
grbladesCommented:
ICMP replies need to be specifically permitted in the configuration. There are a few different versions of the PIX software and the commands to enable it differ. Can you post your configuration
0
 
taylorludwigCommented:
usually routers wont block it, but many times your local firewall will.  Check to see whats being blocked.

Ping works on port 7 so try openeing that up.  If you are using windows firewall i believe that their lable of file and print sharing which is under their rules has ping port 7 included.  So if you enable that on windows firewall your ping will work.  Thats the most comman issue i see with ping not working.  

Also try pinging another computer or even your router, if that doesnt work then its definitley not your router causing the problem.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
colmbowlerAuthor Commented:
See edited config below

I have no local firewall. I can ping out if directly connected to the ADSL modem. So it is definetly the firewall.

sh run
: Saved
:
PIX Version 8.0(2)
!
hostname Pix
domain-name
enable password  encrypted

interface Ethernet0
 speed 100
 nameif outside
 security-level 0
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 speed 100
 nameif inside
 security-level 100
 ip address 172.16.2.244 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd  encrypted
banner exec Unauthorized access will be prosecuted.
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object tcp eq 10000
 service-object udp eq 45000
 service-object udp eq isakmp
access-list inside_access_in extended permit ip any any

pager lines 24
logging enable
logging timestamp
logging emblem
logging buffer-size 1048576
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
no failover
no monitor-interface outside
no monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 172.16.0.0 255.255.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 5:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.2.85 255.255.255.255 inside
snmp-server host inside 172.16.2.2 community public version 2c
snmp-server location Sydney
snmp-server contact C
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto ca trustpoint ASDM_TrustPoint0
 fqdn PIXFirewall
 subject-name CN=PIXFirewall
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 fqdn PIXFirewall
 subject-name CN=PIXFirewall
 no client-types
 crl configure
no crypto isakmp nat-traversal
telnet 172.16.2.85 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
management-access inside
l2tp tunnel hello 300
no threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
ntp authenticate
ntp server 172.16.2.3 source inside prefer
ssl encryption 3des-sha1 des-sha1 rc4-sha1 aes128-sha1 aes256-sha1 rc4-md5
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group 203.127.29.1 type ipsec-l2l
prompt hostname
Cryptochecksum:659814da17febab6f99200691e2835ed
: end
Pix
0
 
grbladesCommented:
Add the following configuration and then it should work.

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-group outside_access_in in interface outside
0
 
colmbowlerAuthor Commented:
Thanks that worked. Another quick question  is there anything else I should allow in to function correctly???
0
 
colmbowlerAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.