ping outside interface on pix

Discussion in 'Cisco' started by mak, Nov 27, 2006.

  1. mak

    mak Guest

    PIX Firewall Version 6.3(1)

    hi,
    i need to ping my outside interface (1.2.3.4) from my lan (192.168.1.0/24) for monitoring purposes,

    i have the following entries:

    pixw(config)# sh access-list acl_inside | incl icmp
    access-list acl_inside line 45 permit icmp 192.168.1.0 255.255.255.0 any
    access-list acl_inside line 53 permit icmp any any

    but I can not ping it,

    I added:
    access-list acl_inside line icmp 192.168.1.0 255.255.255.0 interface outside


    would that do the trick?
    I seem to remember, that pix doesn't allow ping to it's own interfaces - if that's the case,
    what would be a good workaround?


    cheers,
    M
     
    mak, Nov 27, 2006
    #1
    1. Advertisements

  2. This is not possible.
     
    Lutz Donnerhacke, Nov 27, 2006
    #2
    1. Advertisements

  3. mak

    mak Guest

    interesting,
    is this documented anywhere?
    and what would be a workaround or how would you set this up?


    again: I am pinging from _a host_ in the lan, not directly from my inside interface as in:

    pixw# ping inside 1.2.3.4
    1.2.3.4 NO response received -- 1000ms
    1.2.3.4 NO response received -- 1000ms
    1.2.3.4 NO response received -- 1000ms
    pixw#


    thanks
    M
     
    mak, Nov 27, 2006
    #3
  4. Ping the inside interface.
    I know. The pix can only translate or receive the packet. Not both.
     
    Lutz Donnerhacke, Nov 27, 2006
    #4
  5. mak

    mak Guest

    thanks,

    would it help to nat the internal host to a different outside ip than the interface ip?


    thanks,
    M
     
    mak, Nov 28, 2006
    #5
  6. No.
     
    Lutz Donnerhacke, Nov 28, 2006
    #6
  7. This would cause the pix to stop forwarding packets from and to outside.
    Short: Loss of internet connectivity.
    This will fail, because the IPSec tunnel is only terminated on the interface
    the packets are coming in. In this case: The inside interface.

    The reason for this behavior is the same as the unavailibility to ping.
    No.
     
    Lutz Donnerhacke, Nov 28, 2006
    #7
  8. mak

    mak Guest

    mak, Nov 28, 2006
    #8
  9. Because I mixed "management-access" with "management-only". Sorry.
    IPSec has to be terminated on the nearest interface.

    The suggestion was to set up an IPSec tunnel between the inside host and the
    outside interface.
     
    Lutz Donnerhacke, Nov 29, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.