[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

PIX 506 2nd IP Issue

Posted on 2009-02-20
3
Medium Priority
?
227 Views
Last Modified: 2012-05-06
I have a Pix 506e with a 2nd IP assigned to the outside interface. All is well, and the IP traffic to the 2nd IP is fine, except ICMP. When I try to ping it (which I need to be able to do), the unit logs the error:

02-19-2009      12:40:15      Local4.Error      P.I.X.1      Feb 19 2009 12:40:15: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:A.N.Y.IP dst outside:P.U.B.IP2 (type 8, code 0)

I have enabled all the ICMP info & can ping the primary IP fine.

Any ideas are greatly appreciated.

Brad
0
Comment
Question by:fyr3byt3
  • 2
3 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23695483
In order to ping, the second IP needs to be a 1-1 static NAT (not a port xlate).  Can you post a "show run static"?
0
 

Author Comment

by:fyr3byt3
ID: 23695604
Here is the global, NAT & Static conf:

global (outside) 1 interface
global (outside) 1 2.N.D.IP
nat (inside) 0 access-list nonat
nat (inside) 1 ... 255.255.255.0 0 0
static (inside,outside) tcp 1.S.T.IP www P.R.I.8 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.S.T.IP smtp P.R.I.8 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.S.T.IP pop3 P.R.I.8 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.N.D.IP domain P.R.I.7 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.N.D.IP www P.R.I.7 www netmask 255.255.255.255 0 0
static (inside,outside) udp 2.N.D.IP domain P.R.I.7 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.S.T.IP https P.R.I.8 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.N.D.IP https P.R.I.7 https netmask 255.255.255.255 0 0
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 23695625
Yeah, you can only ping if you forward all to the server.

conf t
no static (inside,outside) tcp 2.N.D.IP domain P.R.I.7 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp 2.N.D.IP www P.R.I.7 www netmask 255.255.255.255 0 0
no static (inside,outside) udp 2.N.D.IP domain P.R.I.7 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp 2.N.D.IP https P.R.I.7 https netmask 255.255.255.255 0 0

static (inside,outside) 2.N.D.IP P.R.I.7 netmask 255.255.255.255 0 0

You then have to allow ICMP via the outside access-list:

access-list outside_access_in extended permit icmp any host 2.N.D.IP
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your organization moving toward a cloud and mobile-first environment? In this transition, your IT department will encounter many challenges, such as navigating how to: Deploy new applications and services to a growing team Accommodate employee…
Suggested Courses
Course of the Month9 days, 23 hours left to enroll

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question