Another Ping through a pix 501

hello,

I've got a Pix 501 and I'm having a problem allowing ping responses back through the pix.
Basically I'm trying to ping a public IP address from a machine on the inside interface of the pix but its not getting the responses back.
The machine on the inside interface can get to the internet and the ping can resolve the DNS of a URL.


Here is the PIX config, any ideas on what I've missed?

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list apo_acl permit icmp any any echo-reply
access-list apo_acl permit icmp any any source-quench
access-list apo_acl permit icmp any any unreachable
access-list apo_acl permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.9 255.255.255.0
ip address inside 20.30.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group apo_acl in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet timeout 1
ssh timeout 5
console timeout 0
dhcpd address 20.30.0.2-20.30.0.32 inside
dhcpd dns 192.168.1.1
dhcpd wins 192.168.1.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
mxdmndsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

qbakiesCommented:
Your config looks right, are you sure that the outside IP is responding?.  Can you try a static NAT statement to the inside address and add that to the beginning of the ACL to see if it works then?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic3
0
Markus BraunCEOCommented:

type " debug icmp trace" and ping again - post the log
the other host might just be unresponsive

sysopt noproxyarp outside - i recommend you remove that since that can cause it to fail too since you do NAT, you need that Proxy ARP )
0
mxdmndsAuthor Commented:
I've added the static route, still doesnt seem to get the responses back
The address is ping-able (www.bbc.co.uk - 212.58.246.161). I have a machine on the 192.168.1.0 network which gets the responses back from that above ip perfectly.
I've also re-enabled Proxy ARP.
Still No Luck

The output of the icmp debug is:
PIX# 1: ICMP echo-request from inside:20.30.0.3 to 212.58.246.161 ID=55117seq=1 length=64
2: ICMP echo-request: translating inside:20.30.0.3 to outside:192.168.1.3
3: ICMP echo-reply from outside:212.58.246.161 to 192.168.1.3 ID=55117 seq=1 length=64
4: ICMP echo-reply: untranslating outside:192.168.1.3 to inside:20.30.0.3
5: ICMP echo-request from inside:20.30.0.3 to 212.58.246.161 ID=55117 seq=2 length=64
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Markus BraunCEOCommented:
ok,
since you dont have an actual public IP configured on the outside interface, there may be a problem with whatever router you have on the WAN side.
I assume there is a router? Cause usually the ASA/Pix has a public IP on the outside interface. Since you do not, the router on the WAN side probably does some natting too and it looks like there could be a problem.
Could you describe the hardware setup ?
0
qbakiesCommented:
"The address is ping-able (www.bbc.co.uk - 212.58.246.161). I have a machine on the 192.168.1.0 network which gets the responses back from that above ip perfectly."

Can you describe your topology?  I don't get how you have PC's on the same subnet as the outside interface of the ASA.
0
mxdmndsAuthor Commented:
The Router should be Natting Correctly as the machine that directly connects to the router can ping successfully.
Its a Tree Topology.

      (Router)
          /  \
       /    \
      /      \
    [Comp1]   [PIX]
            |
            |
           [Comp2]
And both the Computers have an Identical setup
0
mxdmndsAuthor Commented:

Sorry that didnt come out too good
      (Router)
          /        \
       /          \
      /            \
    [Comp1]   [PIX]
                   |
                   |
              [Comp2]
0
mxdmndsAuthor Commented:
Ha ha, it wasn't the pix at all... well not directly.
The software firewall on the computer on the inside interface needed to be reconfigured to see the allow responses from the pix
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.