PIX 501 behind Cisco 2600- Can't Ping inside IP

Internet -->2600 -->PIX501-->switch--> LAN
I want to be able to set up ip nat on the router for two of my servers on my internal  network that is behind the pix , however, I am struggling with not being able to ping those server from my c2600 router.  

I am able to get out to the Internet  


Rounter
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.xx.xx.xxx 255.255.255.240
 ip broadcast-address 64.xx.xx.xx
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.xxx.xxx.xxx
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7 
 login
 speed 115200
line aux 0
 password 7 
 login
line vty 0 4
 password 7 
 login
!
end
 
---------------------------------------------------------------------------------------------------------
PIX Version 6.3(4)             
logo
interface ethernet0 autorent user profile, and t
interface ethernet1 100full                           
nameif ethernet0 outside security0 
logging         Enable logging f
nameif ethernet1 inside security100          
mac-list        Add a li
enable password Xa40Nt0afIZZLC2N encrypted                                          
fixup protocol h323 ras 1718-1719face                             
fixup protocol http 80                  
mro
fixup protocol pptp 1723multicast route         
fixup protocol rsh 514           
mtu       
fixup protocol rtsp 554m Transmission Unit) fo
fixup protocol sip 5060                       
fixup protocol sip udp 5060          
multicast       
fixup protocol skinny 2000nterface                  
fixup protocol smtp 25          
name       
fixup protocol sqlnet 1521an IP address             
fixup protocol tftp 69               
nameif
names    A
access-list allow_inbound permit tcp any interface outside eq 33        
                                                      
icmp permit any insidee Protocol            
mtu outside 1500                
mtu inside 1500   Create an ob
ip address outside 172.16.0.2 255.255.255.252, etc                                        
ip address inside 172.16.1.1 255.255.255.192und        Create an outbound access list   
ip audit info action alarm                
pager    
ip audit attack action alarmr pagination                
pdm location 172.16.1.0 255.255.255.192 inside    Change Telnet console access password     
pdm history enable                  
arp timeout 14400          Configu
global (outside) 1 interface                            
nat (inside) 1 172.16.1.0 255.255.255.192 0 0m specifie                                   
timeout xlate 3:00:00isplay privilege leve
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
quit            Quit from the current mode, end configuration or logout     
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:b3e04a8e137e34d67a6710cb0433d980

Open in new window

Wayne-Asked:
Who is Participating?
 
JFrederick29Connect With a Mentor Commented:
For the other servers:

access-list allow_inbound permit tcp any host 172.16.1.51 eq 1723
access-list allow_inbound permit gre any host 172.16.1.51

On the router:

conf t
no ip nat inside source static tcp 172.16.1.61 25 interface FastEthernet0/0 80
no ip nat inside source static 172.16.1.15 64.183.219.77

ip nat inside source static 172.16.1.61 64.xx.xx.75
ip nat inside source static 172.16.1.51 64.xx.xx.77
0
 
JFrederick29Commented:
Since you are doing PAT on the PIX as well, ICMP to the inside is not possible.  You can either disable PAT on the PIX and let the router directly connect to the 172.16.1.0 subnet.  If you want to continue to use PAT on the PIX, you will need to setup a static NAT on the router translating to the outside IP of the PIX and then setup a static on the PIX as well to the real IP address.
0
 
Wayne-Author Commented:
when I disable PAT on the Pix will I need to setup a static route on my firewall to the public Ip on the router for my internal users to get out to the internet
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
JFrederick29Commented:
No, you will need to add a static to let the real IP's go through to the router and the router already has a route to the 172.16.1.0 subnet.  I don't see it in the config but it must have a default route if you are working now.  Does it have this "route outside 0.0.0.0 0.0.0.0 172.16.0.1"?


To change from PAT to NAT on PIX:

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192
no global (outside) 1 interface                            
no nat (inside) 1 172.16.1.0 255.255.255.192 0

Also, add an access-list to the PIX to allow ICMP and the inbound connections to the server.

access-list allow_inbound permit icmp any any
access-list allow_inbound permit tcp any host 172.16.1.x eq 80   <--or whatever port

access-group allow_inbound in interface outside

Then, on the router, add the NAT statement:

conf t
ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80   <--or whatever port
0
 
Wayne-Author Commented:
Yes is does have a default route to that ip


pixfirewall(config)#  show route
        outside 0.0.0.0 0.0.0.0 172.16.0.1 1 OTHER static
        outside 172.16.0.0 255.255.255.252 172.16.0.2 1 CONNECT static
        inside 172.16.1.0 255.255.255.192 172.16.1.1 1 CONNECT static
0
 
JFrederick29Commented:
Yeah, I figured.  The above config should work to allow access to the server as well as allow you to ping from the router to the LAN systems.
0
 
Wayne-Author Commented:
is there a command to disable Pat on the Pix
0
 
JFrederick29Commented:
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192
no global (outside) 1 interface                            
no nat (inside) 1 172.16.1.0 255.255.255.192 0
0
 
Wayne-Author Commented:
access-list allow_inbound permit tcp any host 172.16.1.x eq 80  <--or whatever port
show this be the IP of the server that I'm trying reach are should that be the starting ip address of my subnet  (as well on the router)
Then, on the router, add the NAT statement:

conf t
ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80   <--or whatever port
0
 
JFrederick29Commented:
Yes. 172.16.1.x is the server IP address.  Yes, same on the router.
0
 
Wayne-Author Commented:
Now that I've done that is it ok to do
ip nat inside source static  private ip  Public ip..............so that I can make server accessible  from the internert
0
 
JFrederick29Commented:
Yeah, use the fa0/0 interface for the public IP though like this:

ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80
0
 
Wayne-Author Commented:
so I should write
Private ip 172.16.1.52
Public IP 64.XX.XX.XX

ip nat inside source static tcp 172.16.1.52  64.xx.xx.xx 80 interface FastEthernet0/0 80
0
 
JFrederick29Commented:
Actually, like this:

ip nat inside source static tcp 172.16.1.52 80 interface FastEthernet0/0 80
0
 
Wayne-Author Commented:
I'm a little confused I have a pool of public IPs that I need to nat  64.xx.xx.xx - 64.xx.xx.xx /28
I need to nat out the Exchange Sever with a pulbic IP to get mail thru
I need to nat out the Vpn server to allow connect from the out side

If  I do (ip nat inside source static tcp 172.16.1.52 80 interface FastEthernet0/0 80) how will it know which public IP to send packet to
0
 
JFrederick29Commented:
Ahh, okay, sorry.  I thought you only had the one IP :)

Then, yes, you are correct:

ip nat inside source static tcp 172.16.1.52 64.xx.xx.xx  <--free IP
ip nat inside source static tcp 172.16.1.x 64.xx.xx.yy  <--another free IP
0
 
JFrederick29Commented:
Oops, copy/paste error:

ip nat inside source static 172.16.1.52 64.xx.xx.xx  <--free IP
ip nat inside source static 172.16.1.x 64.xx.xx.yy  <--another free IP
0
 
Wayne-Author Commented:
Not sure if I doing something wrong I have nat that one private to public address
ip nat inside source static 172.16.1.52 64.xx.xx.xx
That one server is not able to get out to the internet and I am not about to ping that public ip from the outside

All other computer are still able to get out to the internet but not that one server 172.16.1.52

Do I need to do somthing on the firewall also
0
 
JFrederick29Commented:
Can you post the current configs?
0
 
Wayne-Author Commented:
ROUTER---------
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.18.xx.xx 255.255.255.240
 ip broadcast-address 64.18.xx.xx
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.18.xx.xx
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7
 login
 speed 115200
line aux 0
 password 7
 login
line vty 0 4
 password 7
 login

________________________________________________________________________________
PIX
PIX Version 6.3(4)            
   
interface ethernet0 auto] | [<level>] [interval
interface ethernet1 100full                          
nameif ethernet0 outside security0route-map use:                    
nameif ethernet1 inside security100 deny|permit {any | <prefix> <mask>
enable password Xa40Nt0afIZZLC2N encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypteds-list permit tcp any host 172.16
hostname pixfirewall                    
domain-name ciscopix.com                
ERROR:
fixup protocol dns maximum-length 512                        
Usage:  [no]
[no] access-list <id>
fixup protocol http 80                      
fixup protocol pptp 1723ss-list <id> compiled  
fixup protocol rsh 514    
[no] access-list
fixup protocol rtsp 554emark <text>          
fixup protocol sip 5060                  
[no]
fixup protocol sip udp 5060e-num>] deny|permit        
fixup protocol skinny 2000                
        <
fixup protocol smtp 25<protocol_obj_grp_id>
fixup protocol sqlnet 1521                        

fixup protocol tftp 69 interface <if_name> |
namest-gro
access-list allow_inbound permit tcp any interface outside eq 3389                                  
        [<operator> <port> [<p
pager lines 24group <service
icmp permit any traceroute outside                                  
icmp permit any outside <dip> <dmask> | interf
icmp permit any echo-reply outside                                  
ip address inside 172.16.1.1 255.255.255.192                                            
ip audit info action alarm | interface <if_name> | o
ip audit attack action alarmid>                        
pdm location 172.16.1.0 255.255.255.192 inside      
        <dip> <dmask> | interface <if_
pdm history enablep <network_obj_grp
arp timeout 14400                
global (outside) 1 interface                  
       
nat (inside) 1 172.16.1.0 255.255.255.192 0 0_id>]                                        
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1efault] | [<level>] [interval <secs>]]    
timeout xlate 3:00:00                    
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:b3e04a8e137e34d67a6710cb0433d980
pixfirewall(config)#

!_______________________________________________________________________________
0
 
JFrederick29Commented:
Is that your new config?  It looks the same as the old...
0
 
Wayne-Author Commented:
when I take out the config   ip nat inside source static 172.16.1.52 64.xx.xx.xx   I am able to get to the outside again
0
 
Wayne-Author Commented:
that is new one I didn't change anything on the router but that one thing you said
Then, on the router, add the NAT statement:

conf t
ip nat inside source static tcp 172.16.1.x 80 interface FastEthernet0/0 80   <--or whatever port
0
 
Wayne-Author Commented:
I version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TNGROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.xx.xx.xx255.255.255.240
 ip broadcast-address 64.1xx.xx.xx
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.16.1.52 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 172.16.1.61 25 interface FastEthernet0/0 80
ip nat inside source static 172.16.1.15 64.183.219.77
ip classless
ip route 0.0.0.0 0.0.0.0 64.183.219.65
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7 131112110302013D3
0
 
JFrederick29Commented:
Please post the current PIX config also.  You made the PAT changes, right?  Also, what servers and what ports do you want to be accessible from the outside?
0
 
Wayne-Author Commented:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Xa40Nt0afIZZLC2N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
 access-list allow_inbound permit tcp any interface outside eq 3389
access-list allow_inbound permit icmp any any
access-list allow_inbound permit tcp any host 172.16.1.0 eq www
access-list allow_inbound permit tcp any host 172.16.1.61 eq smtp
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
icmp permit any traceroute outside
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 172.16.0.2 255.255.255.252
ip address inside 172.16.1.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.1.0 255.255.255.192 inside
pdm history enable
arp timeout 14400
ccess-group allow_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:2e7ae916b901b088258a8ec0d66ad87b
0
 
Wayne-Author Commented:
I was needing
server 172.16.1.61 port 25
 server  172.16.1.52 port 3389
server  72.16.1.51 port 1723
0
 
JFrederick29Commented:
Okay, maybe it just didn't show up in the post but is this in your config:

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192

If not, add this:

conf t
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192
access-list allow_inbound permit tcp any host 172.16.1.52 eq 3389

On the router:

no ip nat inside source static tcp 172.16.1.52 3389 interface FastEthernet0/0 3389
ip nat inside source static 172.16.1.52 64.xx.xx.76   <--or a free IP in your pool to dedicate to .52

WIth these changes, you should be able to access the 172.16.1.52 server from the outside via RDP.

0
 
Wayne-Author Commented:
Still not able to ping are RDP into server       posting config

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Xa40Nt0afIZZLC2N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list allow_inbound permit tcp any interface outside eq 3389
access-list allow_inbound permit icmp any any
access-list allow_inbound permit tcp any host 172.16.1.0 eq www
access-list allow_inbound permit tcp any host 172.16.1.61 eq smtp
access-list allow_inbound permit tcp any host 172.16.1.52 eq 3389
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
icmp permit any traceroute outside
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 172.16.0.2 255.255.255.252
ip address inside 172.16.1.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.1.0 255.255.255.192 inside
pdm history enable
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192 0 0
access-group allow_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:21067eff6ff420fc62d1e64b46c59dfa
pixfirewall(config)#

-----------------------------------------------------

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TNGROUTER1
!
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 64.xx.xx.66 255.255.255.240
 ip broadcast-address 64.xx.xx.79
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.252
 ip broadcast-address 172.16.0.3
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static 172.16.1.52 64.xx.xx.68
ip classless
ip route 0.0.0.0 0.0.0.0 64.xx.xx.xx
ip route 172.16.1.0 255.255.255.192 172.16.0.2
ip route 172.16.1.0 255.255.255.192 172.16.1.1
no ip http server
!
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7
 login
 speed 115200
line aux 0
 password 7
 login
line vty 0 4
 password 7
 login
!
end

TNGROUTER1#
0
 
Wayne-Author Commented:
I am able to ping from the router but not from the outside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.61, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
TNGROUTER1#ping 64.xx.xx.68

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.xx.xx.68, timeout is 2 seconds:
!!!!!
0
 
JFrederick29Commented:
The config looks okay.  You can RDP to 172.16.1.52 from the inside, right?  

Are you able to browse the Internet from the 172.16.1.52 machine?  If so, connect to http://www.whatismyip.com and ,make sure it returns the 64.xx.xx.68 address.
0
 
Wayne-Author Commented:
Yes I can RDP from the inside but cannot from the  outside
I ping public IP from the Pix I get no repsonse

pixfirewall(config)# ping 64.183.219.68
        64.xxx.xxx.68 NO response received -- 1000ms
        64.xxx.xxx.68 NO response received -- 1000ms
        64.xxx.xxx.68 NO response received -- 1000ms
pixfirewall(config)# ping 172.16.1.52
        172.16.1.52 response received -- 0ms
        172.16.1.52 response received -- 0ms
        172.16.1.52 response received -- 0ms
pixfirewall(config)#
0
 
JFrederick29Commented:
Yeah, that is normal, you won't be able to from the PIX.

Are you able to browse the Internet from the 172.16.1.52 machine?  If so, connect to http://www.whatismyip.com and ,make sure it returns the 64.xx.xx.68 address.
0
 
Wayne-Author Commented:
Not sure what happen took config out and put it back in and it seems to be working now
0
 
JFrederick29Commented:
Excellent.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.