Can't ping client pc from Pix 515

Discussion in 'Cisco' started by ejeangilles, Apr 2, 2012.

  1. ejeangilles

    ejeangilles

    Joined:
    Jan 2, 2009
    Messages:
    5
    Likes Received:
    0
    I have a home network setup with a Pix 515 and 3550 L3 switch. My Pix 515 (unrestricted) is setup with subinterfaces. Everything works fine as far as DHCP, internet, and ASDM. The only thing is I can't seem to ping my internal clients from my ASA. I can ping my L3 switch vlan IP but not my internal client IP. My client PC's can ping both L3 switch IP and ASA inside interface. Is there ACL that's blocking? I did an packet tracer and it tells me it dropped due to an access list but I have them in place. I feel I'm missing something simple. Information below

    Internet <----> Pix515 <----> L3switch <----> PC's

    MYFIREWALL# sh run
    : Saved
    :
    PIX Version 8.0(4)28
    !
    hostname MYFIREWALL
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 173.x.x.114 255.255.255.248
    !
    interface Ethernet1
    speed 100
    duplex full
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet1.10
    vlan 10
    nameif inside
    security-level 100
    ip address 10.10.10.1 255.255.255.0
    !
    interface Ethernet1.20
    vlan 20
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    access-list 101 extended permit icmp any any echo
    access-list 101 extended permit icmp any any echo-reply
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any unreachable
    access-list 101 extended permit icmp any any time-exceeded
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 20000
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group 101 in interface outside
    route outside 0.0.0.0 0.0.0.0 173.x.x.118 1
    timeout xlate 3:00:00
    timeout conn 9:09:09 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 0.0.0.0 0.0.0.0 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 68.87.68.162 68.87.74.162
    dhcpd domain aejg.net
    !
    dhcpd address 10.10.10.105-10.10.10.150 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    !
    !
    prompt hostname context
    Cryptochecksum:ed3a9e8e32f486f73ad65f0ce7a95b3f
    : end
    ------------------------
    MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.105 detail$

    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0x4392f78, priority=1, domain=permit, deny=false
    hits=130328, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0000.0000.0000

    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow

    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in 10.10.10.0 255.255.255.0 inside

    Phase: 4
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0x4397fb8, priority=500, domain=permit, deny=true
    hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=10.10.10.1, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

    --------------------------------
    MYFIREWALL# ping 10.10.10.105
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.105, timeout is 2 seconds:
    ?????

    -------------------------------

    MYSWITCH#sh run
    Building configuration...

    Current configuration : 2518 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname MYSWITCH
    !
    !
    no aaa new-model
    ip subnet-zero
    ip routing
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    !
    !
    vlan internal allocation policy ascending
    !
    !
    interface FastEthernet0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    duplex full
    speed 100
    !
    interface FastEthernet0/2
    switchport mode dynamic desirable
    !
    interface FastEthernet0/3
    switchport mode dynamic desirable
    !
    interface FastEthernet0/4
    switchport mode dynamic desirable
    !
    interface FastEthernet0/5
    switchport access vlan 10
    switchport mode access
    duplex full
    speed 100
    spanning-tree portfast
    !
    interface FastEthernet0/6
    switchport mode dynamic desirable
    !
    interface FastEthernet0/7
    switchport mode dynamic desirable
    !
    interface FastEthernet0/8
    switchport mode dynamic desirable
    !
    interface FastEthernet0/9
    switchport mode dynamic desirable
    !
    interface FastEthernet0/10
    switchport mode dynamic desirable
    !
    interface FastEthernet0/11
    switchport mode dynamic desirable
    !
    interface FastEthernet0/12
    switchport mode dynamic desirable
    !

    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan10
    ip address 10.10.10.100 255.255.255.0
    ip directed-broadcast
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.10.10.1
    ip http server
    ---------------------------
     
    ejeangilles, Apr 2, 2012
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.