?
Solved

Unable to connect to or ping inside interfaces on Cisco Pix501

Posted on 2011-04-19
9
Medium Priority
?
683 Views
Last Modified: 2012-06-21
I have two Pix 501 and they are both setup to talk to each other via site to site vpn.  the problem is i'm not able to ping the inside interface or connect to a computer on the inside from either firewall, but i can ping the outside interfaces.  I've used the below commands but they've not worked eventhough the VPN LED is lit on both Pix.  Thanks in advance for your help.

access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded


access-list inside_outbound_nat0_acl permit ip 10.241.6.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.6.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.6.0 255.255.255.0 Subnet-Peak10 255.255.255.0

access-group allow_ping in interface outside
0
Comment
Question by:y2kane4eva
  • 5
  • 3
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 35426881
Did you apply the nat0 acl to the nat?
nat (inside) 0 access-list inside_outbound_nat0_acl


>access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.6.0 255.255.255.0
You only need this on the remote end.
If you want to ping the inside interface of the remote PIX, you have to designate it as a management interface
 management-interface inside

0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35427920
the access list is correct.  here's the complete config.  The management-interface command is management-access on this pix and that's already in the configuration.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********** encrypted
passwd *********encrypted
hostname firewall
domain-name domain.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.240.1.0 Subnet-Peak10
access-list inside_outbound_nat0_acl permit ip 10.241.6.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.6.0 255.255.255.0 Subnet-Peak10 255.255.255.0
 
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
logging on
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500

ip address outside *.*.*.90 255.255.255.248
ip address inside 10.241.6.254 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 1440
0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.89

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer *.*.*.164
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside

isakmp enable outside
isakmp key ******** address *.*.*.164 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
management-access inside
console timeout 0
dhcpd address 10.241.6.30-10.241.6.59 inside
dhcpd dns 10.240.1.12 205.152.144.23
dhcpd wins 10.240.1.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain jaxul.org
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 35431716
Hi ,

as you are trying to ping from outside network to inside network the command on pix should be as below :

pix (Config)#access-list 101 permit icmp any any
check with using the command
pix(Config)#debug icmp
and try to ping inside network from outside and you can even try with sh asp drop frame or flow command also.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 1

Author Comment

by:y2kane4eva
ID: 35432408
what's the difference between access-list 101 and access-list allow_ping?  The name of the access list shouldn't matter.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35432899
I don't see anything wrong with this configuration..
Can you post the config of the other side?
0
 
LVL 1

Assisted Solution

by:y2kane4eva
y2kane4eva earned 0 total points
ID: 35433097
here's the configuration from the other firewall


PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ********* encrypted
hostname RemoteFirewall
domain-name ciscopix.com
clock timezone Eastern -5
clock summer-time Eastern recurring
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-list inside_outbound_nat0_acl permit ip 10.240.1.0 255.255.255.0 10.241.6.0 255.255.255.0
access-list outside_cryptomap_140 permit ip 10.240.1.0 255.255.255.0 10.241.6.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor warnings
logging buffered warnings
logging trap warnings
logging history warnings
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.164 255.255.255.240
ip address inside 10.240.1.254 255.255.255.0
ip audit name IDSAttack attack action alarm
ip audit name IDSInfo info action alarm
ip audit interface outside IDSInfo
ip audit interface outside IDSAttack
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.161
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 140 ipsec-isakmp
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set peer *.*.*.90
crypto map outside_map 140 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ***** address *.*.*.90 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.240.1.10-10.240.1.30 inside
dhcpd dns 10.240.1.12 205.152.144.23
dhcpd wins 10.240.1.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain jaxul.org
dhcpd auto_config outside
dhcpd enable inside
0
 
LVL 1

Accepted Solution

by:
y2kane4eva earned 0 total points
ID: 35444076
I figured it out.  I was missing this line on the remote pix. (sysopt connection permit-ipsec) that's why i couldn't access the remote office internal network.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35444862
D'OH!
0
 
LVL 1

Author Closing Comment

by:y2kane4eva
ID: 35465262
I figured out what i was missing in the configuration.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question