Solved

Ping from Host to pIx

Posted on 2008-06-23
5
386 Views
Last Modified: 2010-04-09
Hi

I am not able to ping from host 219.91.178.58  to outside of pix=219.91.178.59.Please HELP.urgenttt!!!!

++++++++++++++++++++++++++++++++++++++++++++++++
configuration
++++++++++++++++++

PIX Version 7.1(1)
!
hostname fwpix-mark01
domain-name default.domain.invalid
enable password .vQuvlGbz1nJZcdO encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 219.91.178.59 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.243.1 255.255.255.0
!
interface Ethernet2
 nameif pixpix
 security-level 50
 ip address 10.94.6.1 255.255.255.0
!
passwd RTYHGBNJK encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outacl extended permit icmp any any echo-reply
access-list outacl extended permit tcp host 219.91.178.58 192.168.43.0 255.255.2
55.0
access-list inacl extended permit icmp any any echo-reply
access-list inacl extended permit ip 192.168.243.0 255.255.255.0 host 219.91.178
.58
access-list acl_nonat extended permit ip 192.168.243.0 255.255.255.0 219.47.190.
0 255.255.255.0
access-list outside_cryptomap_30 extended permit ip 192.168.243.0 255.255.255.0
209.47.190.80 255.255.255.240
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pixpix 1500
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outacl in interface outside
access-group inacl in interface inside
route outside 219.91.178.58 255.255.255.255 219.91.178.57 1
route outside 0.0.0.0 0.0.0.0 219.91.178.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.243.242 255.255.255.255 inside
snmp-server host outside 10.3.1.18 community ZS5544fwmark
snmp-server location PIX Markham
snmp-server contact C-IT6 0172 8979428
snmp-server community ZS5544fwmark
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set markham esp-3des esp-md5-hmac
crypto ipsec transform-set tripple-des esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map gddrp 30 match address outside_cryptomap_30
crypto map gddrp 30 set peer 219.167.10.27
crypto map gddrp 30 set transform-set ESP-3DES-SHA
crypto map gddrp interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 10.4.12.2 type ipsec-l2l
tunnel-group 10.4.12.2 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.1.209 type ipsec-l2l
tunnel-group 10.254.1.209 ipsec-attributes
 pre-shared-key *
tunnel-group 219.167.10.30 type ipsec-l2l
tunnel-group 219.167.10.30 ipsec-attributes
 pre-shared-key *
tunnel-group 219.167.10.27 type ipsec-l2l
tunnel-group 219.167.10.27 ipsec-attributes
 pre-shared-key *
telnet 192.168.243.0 255.255.255.0 inside
telnet timeout 5
sh 10.3.1.18 255.255.255.255 outside
ssh 10.4.12.254 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.94.2.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
tftp-server outside 10.4.12.254 /
Cryptochecksum:c99e8407cd9169d1261488117ef173ca
: end

0
Comment
Question by:alimohammed72
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21846325
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21846334
Try:

no nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.243.0 255.255.255.0
0
 
LVL 3

Expert Comment

by:AugustTen
ID: 21846446
This is permitted by default, and you have not configured anything to block it, so best bet is to start troubleshooting on Layer 2. Check ARP tables on the host if you can find the PIX MAC address. Check the switch VLAN configuration and CAM tables.
0
 
LVL 14

Accepted Solution

by:
agriesser earned 500 total points
ID: 21846524
Oh and why is there a designated route to 219.91.178.58? It's on the same network as your outside interface, so it doesn't need to get routed.

route outside 219.91.178.58 255.255.255.255 219.91.178.57 1

It should be safe to delete this route:

no route outside 219.91.178.58 255.255.255.255 219.91.178.57 1

Does pinging the gateway from the Pix work?

ping outside 219.91.178.57

Does pinging the "host" you're talking about work?

ping outside 219.91.178.58
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21849613
Good to see that it works now for you.
Just for the records: What was the problem? Was it the route or was it the nat entry?
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5506 blocks telnet 11 66
Losing connectivity from some servers - Restore connectivity if i ping them 3 60
TL-R470T+ and Cisco ASA 2 47
Cisco VOIP Question 1 70
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question