I am Unable to ping through my firewall. Why?

Posted on 2007-10-03
Medium Priority
Last Modified: 2008-01-09
I am able to access the internet through my PIX 515E firewall but I am unable to ping  anything outside eg. google.com????? I need to run a tacert route but cannot ping out ???? Why?????  I don't see any ICMP resrictions on the PIX???
Question by:colmbowler
  • 3
  • 3
LVL 36

Expert Comment

ID: 20004802
ICMP replies need to be specifically permitted in the configuration. There are a few different versions of the PIX software and the commands to enable it differ. Can you post your configuration

Expert Comment

ID: 20004829
usually routers wont block it, but many times your local firewall will.  Check to see whats being blocked.

Ping works on port 7 so try openeing that up.  If you are using windows firewall i believe that their lable of file and print sharing which is under their rules has ping port 7 included.  So if you enable that on windows firewall your ping will work.  Thats the most comman issue i see with ping not working.  

Also try pinging another computer or even your router, if that doesnt work then its definitley not your router causing the problem.

Author Comment

ID: 20004897
See edited config below

I have no local firewall. I can ping out if directly connected to the ADSL modem. So it is definetly the firewall.

sh run
: Saved
PIX Version 8.0(2)
hostname Pix
enable password  encrypted

interface Ethernet0
 speed 100
 nameif outside
 security-level 0
 ip address
 ospf cost 10
interface Ethernet1
 speed 100
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Ethernet2
 no nameif
 no security-level
 no ip address
passwd  encrypted
banner exec Unauthorized access will be prosecuted.
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object tcp eq 10000
 service-object udp eq 45000
 service-object udp eq isakmp
access-list inside_access_in extended permit ip any any

pager lines 24
logging enable
logging timestamp
logging emblem
logging buffer-size 1048576
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
no failover
no monitor-interface outside
no monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101
access-group inside_access_in in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 5:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
snmp-server host inside community public version 2c
snmp-server location Sydney
snmp-server contact C
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto ca trustpoint ASDM_TrustPoint0
 fqdn PIXFirewall
 subject-name CN=PIXFirewall
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 fqdn PIXFirewall
 subject-name CN=PIXFirewall
 no client-types
 crl configure
no crypto isakmp nat-traversal
telnet inside
telnet timeout 60
ssh timeout 5
console timeout 0
management-access inside
l2tp tunnel hello 300
no threat-detection basic-threat
threat-detection statistics
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
service-policy global_policy global
ntp authenticate
ntp server source inside prefer
ssl encryption 3des-sha1 des-sha1 rc4-sha1 aes128-sha1 aes256-sha1 rc4-md5
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group type ipsec-l2l
prompt hostname
: end
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

LVL 36

Expert Comment

ID: 20004922
Add the following configuration and then it should work.

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-group outside_access_in in interface outside

Author Comment

ID: 20004937
Thanks that worked. Another quick question  is there anything else I should allow in to function correctly???
LVL 36

Accepted Solution

grblades earned 2000 total points
ID: 20004996
No that should be all you need. The PIX monitors the outbound traffic and automatically permits back the replies.
You only need to allow other stuff in if you want to forward connections to machines on the inside such as a mail server.

Author Comment

ID: 20005008

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month16 days, 11 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question