PIX ping v6.0(1)

Discussion in 'Cisco' started by Walter Roberson, Dec 11, 2003.

  1. In article <>,
    aharper <> wrote:

    :I'm having a problem getting ping to get through the PIX for one IP. So
    :far as I can tell I've got the statements the same as I do for many
    :eek:ther IPs that work just fine, but this one isn't working. If I change
    :the IPs to something different I still can't get them to work. Not
    :sure what's up. Here is what I have...


    :access-list acl_out permit icmp any any
    :access-list acl_out permit icmp any any echo-reply
    :access-list acl_out permit icmp any any unreachable
    :access-list acl_out permit icmp any any time-exceeded

    Those last 3 are redundant. The first line permits -all- icmp, so
    there is no point in permitting other icmp individually.

    :access-group acl_out in interface outside

    :STATIC STUFF (207.addy's are ISP addy's, 172.addy is for the LAN)...
    :static (inside,outside) 207.220.220.35 172.16.1.35 netmask
    :255.255.255.255 512 384

    :Similar setups for other IPs work just fine. On the outside I can ping
    :the 207.220.220.x addy and get replies. This one isn't working.

    :alias (inside) 207.220.220.35 192.168.2.35 255.255.255.255
    :static (dmz,outside) 207.220.220.35 192.168.2.35 netmask
    :255.255.255.255 1024 716
    :static (inside,outside) 207.220.220.35 172.16.1.35 netmask
    :255.255.255.255 512 384

    You are trying to mix 'alias' and 'static' for the same outside IP?
    And you are trying to map the same outside IP to two different
    interfaces? I wouldn't expect either to work.
    --
    Cottleston, Cottleston, Cottleston pie.
    A bird can't whistle and neither can I. -- Pooh
    Walter Roberson, Dec 11, 2003
    #1
    1. Advertising

  2. Walter Roberson

    aharper Guest

    I'm having a problem getting ping to get through the PIX for one IP. S
    far as I can tell I've got the statements the same as I do for man
    other IPs that work just fine, but this one isn't working. If I chang
    the IPs to something different I still can't get them to work. No
    sure what's up. Here is what I have...

    ACCESS-LIST STUFF...
    access-list acl_out permit icmp any any
    access-list acl_out permit icmp any any echo-reply
    access-list acl_out permit icmp any any unreachable
    access-list acl_out permit icmp any any time-exceeded
    access-group acl_out in interface outside

    STATIC STUFF (207.addy's are ISP addy's, 172.addy is for the LAN)...
    static (inside,outside) 207.220.220.35 172.16.1.35 netmas
    255.255.255.255 512 384

    Similar setups for other IPs work just fine. On the outside I can pin
    the 207.220.220.x addy and get replies. This one isn't working. I'v
    tried adding other statements as well messing around hoping somethin
    would work. Below I'm adding statements to test with the DMZ machine
    to see if they can see what I need. The DMZ addy's are 192.blah.

    alias (dmz) 192.168.2.35 172.16.1.35 255.255.255.255
    alias (inside) 207.220.220.35 192.168.2.35 255.255.255.255
    static (dmz,outside) 207.220.220.35 192.168.2.35 netmas
    255.255.255.255 1024 716
    static (inside,outside) 207.220.220.35 172.16.1.35 netmas
    255.255.255.255 512 384
    static (inside,dmz) 192.168.2.35 172.16.1.35 netmask 255.255.255.25
    512 384

    Still no dice. From another machine in the DMZ I'm able to pin
    192.168.2.35 and I get replies. Now if only it would work on th
    outside. I'm really at a loss since it's working elsewhere. Seems I'
    always having problems with ping, though, and somehow miraculously a
    the end it ends up working. Problem is I just don't know what's don
    to make it work. Any help is appreciated. TIA.

    And

    aharpe
    -----------------------------------------------------------------------
    Posted via http://www.mcse.m
    -----------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message170411.htm
    aharper, Dec 11, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?V0pQQw==?=

    Can not ping myself, but can ping others

    =?Utf-8?B?V0pQQw==?=, Dec 25, 2004, in forum: Wireless Networking
    Replies:
    6
    Views:
    5,921
    Chuck
    Dec 26, 2004
  2. eugene123
    Replies:
    4
    Views:
    2,652
    Mark Smythe
    Sep 25, 2003
  3. Bob Simon
    Replies:
    8
    Views:
    7,077
    John Lamar
    Jan 19, 2005
  4. gruffydd

    ping ping Why

    gruffydd, Dec 28, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    521
    gruffydd
    Dec 29, 2004
  5. RLM
    Replies:
    6
    Views:
    2,430
Loading...

Share This Page