• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 639
  • Last Modified:

Another Ping through a pix 501


I've got a Pix 501 and I'm having a problem allowing ping responses back through the pix.
Basically I'm trying to ping a public IP address from a machine on the inside interface of the pix but its not getting the responses back.
The machine on the inside interface can get to the internet and the ping can resolve the DNS of a URL.

Here is the PIX config, any ideas on what I've missed?

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list apo_acl permit icmp any any echo-reply
access-list apo_acl permit icmp any any source-quench
access-list apo_acl permit icmp any any unreachable
access-list apo_acl permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group apo_acl in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet timeout 1
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd wins
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
  • 4
  • 2
  • 2
3 Solutions
Your config looks right, are you sure that the outside IP is responding?.  Can you try a static NAT statement to the inside address and add that to the beginning of the ACL to see if it works then?

Markus BraunCEOCommented:

type " debug icmp trace" and ping again - post the log
the other host might just be unresponsive

sysopt noproxyarp outside - i recommend you remove that since that can cause it to fail too since you do NAT, you need that Proxy ARP )
mxdmndsAuthor Commented:
I've added the static route, still doesnt seem to get the responses back
The address is ping-able (www.bbc.co.uk - I have a machine on the network which gets the responses back from that above ip perfectly.
I've also re-enabled Proxy ARP.
Still No Luck

The output of the icmp debug is:
PIX# 1: ICMP echo-request from inside: to ID=55117seq=1 length=64
2: ICMP echo-request: translating inside: to outside:
3: ICMP echo-reply from outside: to ID=55117 seq=1 length=64
4: ICMP echo-reply: untranslating outside: to inside:
5: ICMP echo-request from inside: to ID=55117 seq=2 length=64
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Markus BraunCEOCommented:
since you dont have an actual public IP configured on the outside interface, there may be a problem with whatever router you have on the WAN side.
I assume there is a router? Cause usually the ASA/Pix has a public IP on the outside interface. Since you do not, the router on the WAN side probably does some natting too and it looks like there could be a problem.
Could you describe the hardware setup ?
"The address is ping-able (www.bbc.co.uk - I have a machine on the network which gets the responses back from that above ip perfectly."

Can you describe your topology?  I don't get how you have PC's on the same subnet as the outside interface of the ASA.
mxdmndsAuthor Commented:
The Router should be Natting Correctly as the machine that directly connects to the router can ping successfully.
Its a Tree Topology.

          /  \
       /    \
      /      \
    [Comp1]   [PIX]
And both the Computers have an Identical setup
mxdmndsAuthor Commented:

Sorry that didnt come out too good
          /        \
       /          \
      /            \
    [Comp1]   [PIX]
mxdmndsAuthor Commented:
Ha ha, it wasn't the pix at all... well not directly.
The software firewall on the computer on the inside interface needed to be reconfigured to see the allow responses from the pix

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now