ping outside interface on pix

Discussion in 'Cisco' started by mak, Nov 27, 2006.

  1. mak

    mak Guest

    PIX Firewall Version 6.3(1)

    hi,
    i need to ping my outside interface (1.2.3.4) from my lan (192.168.1.0/24) for monitoring purposes,

    i have the following entries:

    pixw(config)# sh access-list acl_inside | incl icmp
    access-list acl_inside line 45 permit icmp 192.168.1.0 255.255.255.0 any
    access-list acl_inside line 53 permit icmp any any

    but I can not ping it,

    I added:
    access-list acl_inside line icmp 192.168.1.0 255.255.255.0 interface outside


    would that do the trick?
    I seem to remember, that pix doesn't allow ping to it's own interfaces - if that's the case,
    what would be a good workaround?


    cheers,
    M
    mak, Nov 27, 2006
    #1
    1. Advertising

  2. * mak wrote:
    > i need to ping my outside interface (1.2.3.4) from my lan
    > (192.168.1.0/24) for monitoring purposes,


    This is not possible.
    Lutz Donnerhacke, Nov 27, 2006
    #2
    1. Advertising

  3. mak

    mak Guest

    Lutz Donnerhacke wrote:
    > * mak wrote:
    >> i need to ping my outside interface (1.2.3.4) from my lan
    >> (192.168.1.0/24) for monitoring purposes,

    >
    > This is not possible.


    interesting,
    is this documented anywhere?
    and what would be a workaround or how would you set this up?


    again: I am pinging from _a host_ in the lan, not directly from my inside interface as in:

    pixw# ping inside 1.2.3.4
    1.2.3.4 NO response received -- 1000ms
    1.2.3.4 NO response received -- 1000ms
    1.2.3.4 NO response received -- 1000ms
    pixw#


    thanks
    M
    mak, Nov 27, 2006
    #3
  4. * mak wrote:
    > and what would be a workaround or how would you set this up?


    Ping the inside interface.

    > again: I am pinging from _a host_ in the lan


    I know. The pix can only translate or receive the packet. Not both.
    Lutz Donnerhacke, Nov 27, 2006
    #4
  5. mak

    mak Guest

    Lutz Donnerhacke wrote:
    > * mak wrote:
    >> and what would be a workaround or how would you set this up?

    >
    > Ping the inside interface.
    >
    >> again: I am pinging from _a host_ in the lan

    >
    > I know. The pix can only translate or receive the packet. Not both.


    thanks,

    would it help to nat the internal host to a different outside ip than the interface ip?


    thanks,
    M
    mak, Nov 28, 2006
    #5
  6. * mak wrote:
    > would it help to nat the internal host to a different outside ip than the
    > interface ip?


    No.
    Lutz Donnerhacke, Nov 28, 2006
    #6
  7. * Walter Roberson wrote:
    > Try this: Designate the outside interface as a management interface,


    This would cause the pix to stop forwarding packets from and to outside.
    Short: Loss of internet connectivity.

    > and create an IPSec tunnel between it and some host on the inside


    This will fail, because the IPSec tunnel is only terminated on the interface
    the packets are coming in. In this case: The inside interface.

    The reason for this behavior is the same as the unavailibility to ping.

    > That inside host would then be able to ping the outside interface.


    No.
    Lutz Donnerhacke, Nov 28, 2006
    #7
  8. mak

    mak Guest

    Walter Roberson wrote:
    > In article <>,
    > mak <> wrote:
    >> PIX Firewall Version 6.3(1)

    >
    >> i need to ping my outside interface (1.2.3.4) from my lan
    >> (192.168.1.0/24) for monitoring purposes,

    >
    > Try this: Designate the outside interface as a management interface,
    > and create an IPSec tunnel between it and some host on the
    > inside (such as a box running freeswan, but you could probably use
    > the Cisco client). That inside host would then be able to ping the
    > outside interface.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951


    thanks,
    I'll try that
    mak, Nov 28, 2006
    #8
  9. * Walter Roberson wrote:
    > In article <-jena.de>,
    > Lutz Donnerhacke <> wrote:
    >>* Walter Roberson wrote:
    >>> Try this: Designate the outside interface as a management interface,

    >
    >>This would cause the pix to stop forwarding packets from and to outside.
    >>Short: Loss of internet connectivity.

    >
    > Why would that happen? When you designate the inside interface
    > as a management interface, does it stop forwarding packets to and
    > from the inside?


    Because I mixed "management-access" with "management-only". Sorry.

    >>This will fail, because the IPSec tunnel is only terminated on the interface
    >>the packets are coming in. In this case: The inside interface.

    >
    > Then how does it work for the case of an outside host given management
    > interface access to the inside?


    IPSec has to be terminated on the nearest interface.

    The suggestion was to set up an IPSec tunnel between the inside host and the
    outside interface.
    Lutz Donnerhacke, Nov 29, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jonnah
    Replies:
    1
    Views:
    1,064
    mcaissie
    Apr 21, 2004
  2. Al
    Replies:
    1
    Views:
    651
  3. David
    Replies:
    3
    Views:
    19,882
    Anthony
    Jul 21, 2005
  4. marti314
    Replies:
    1
    Views:
    2,060
    Walter Roberson
    Aug 5, 2005
  5. Jack
    Replies:
    0
    Views:
    639
Loading...

Share This Page