I am Unable to ping through my firewall. Why?

Posted on 2007-10-03
Last Modified: 2008-01-09
I am able to access the internet through my PIX 515E firewall but I am unable to ping  anything outside eg. I need to run a tacert route but cannot ping out ???? Why?????  I don't see any ICMP resrictions on the PIX???
Question by:colmbowler
    LVL 36

    Expert Comment

    ICMP replies need to be specifically permitted in the configuration. There are a few different versions of the PIX software and the commands to enable it differ. Can you post your configuration
    LVL 3

    Expert Comment

    usually routers wont block it, but many times your local firewall will.  Check to see whats being blocked.

    Ping works on port 7 so try openeing that up.  If you are using windows firewall i believe that their lable of file and print sharing which is under their rules has ping port 7 included.  So if you enable that on windows firewall your ping will work.  Thats the most comman issue i see with ping not working.  

    Also try pinging another computer or even your router, if that doesnt work then its definitley not your router causing the problem.

    Author Comment

    See edited config below

    I have no local firewall. I can ping out if directly connected to the ADSL modem. So it is definetly the firewall.

    sh run
    : Saved
    PIX Version 8.0(2)
    hostname Pix
    enable password  encrypted

    interface Ethernet0
     speed 100
     nameif outside
     security-level 0
     ip address
     ospf cost 10
    interface Ethernet1
     speed 100
     nameif inside
     security-level 100
     ip address
     ospf cost 10
    interface Ethernet2
     no nameif
     no security-level
     no ip address
    passwd  encrypted
    banner exec Unauthorized access will be prosecuted.
    ftp mode passive
    clock timezone EST 10
    clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
    dns domain-lookup inside
    dns server-group DefaultDNS
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service DM_INLINE_SERVICE_1
     service-object esp
     service-object tcp eq 10000
     service-object udp eq 45000
     service-object udp eq isakmp
    access-list inside_access_in extended permit ip any any

    pager lines 24
    logging enable
    logging timestamp
    logging emblem
    logging buffer-size 1048576
    logging asdm informational
    logging debug-trace
    mtu outside 1500
    mtu inside 1500
    ip verify reverse-path interface outside
    no failover
    no monitor-interface outside
    no monitor-interface inside
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-602.bin
    asdm history enable
    arp timeout 14400
    global (outside) 101 interface
    nat (inside) 101
    access-group inside_access_in in interface inside
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 5:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    snmp-server host inside community public version 2c
    snmp-server location Sydney
    snmp-server contact C
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps ipsec start stop
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto ca trustpoint ASDM_TrustPoint0
     fqdn PIXFirewall
     subject-name CN=PIXFirewall
     no client-types
     crl configure
    crypto ca trustpoint ASDM_TrustPoint1
     fqdn PIXFirewall
     subject-name CN=PIXFirewall
     no client-types
     crl configure
    no crypto isakmp nat-traversal
    telnet inside
    telnet timeout 60
    ssh timeout 5
    console timeout 0
    management-access inside
    l2tp tunnel hello 300
    no threat-detection basic-threat
    threat-detection statistics
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny  
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip  
      inspect xdmcp
    service-policy global_policy global
    ntp authenticate
    ntp server source inside prefer
    ssl encryption 3des-sha1 des-sha1 rc4-sha1 aes128-sha1 aes256-sha1 rc4-md5
    tunnel-group DefaultRAGroup ipsec-attributes
     isakmp keepalive threshold 10 retry 2
    tunnel-group type ipsec-l2l
    prompt hostname
    : end
    LVL 36

    Expert Comment

    Add the following configuration and then it should work.

    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any source-quench
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-group outside_access_in in interface outside

    Author Comment

    Thanks that worked. Another quick question  is there anything else I should allow in to function correctly???
    LVL 36

    Accepted Solution

    No that should be all you need. The PIX monitors the outbound traffic and automatically permits back the replies.
    You only need to allow other stuff in if you want to forward connections to machines on the inside such as a mail server.

    Author Comment


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now