Pix 515 - Ping host from outside

Discussion in 'Cisco' started by HisNameWasRobertPaulson, Jan 15, 2004.

  1. Hey gang, I am in need of pinging a host on the inside that is
    translated via PAT.
    The problem: I am getting no echo-reply.
    Everything is setup correctly except for this one aspect, I just dont
    know how to do it or even if it is possible, any help would be greatly
    appreciated!!
    Here is a partial config:

    <--this is the host I want to ping (12.34.56.78)-->
    static (inside,outside) tcp 12.34.56.78 ftp 10.10.1.5 ftp netmask
    255.255.255.255

    (the ftp service is working, but I want to ping this host as well)

    I set the access-list to permit all icmp, for testing, and there are
    no DENY icmp entries in the log for this host.

    And to top it off, debug ICMP trace does not even list the packets as
    being recieved!! (although I know this is a valid Internet address,
    because the ftp service I have setup, works...)

    Any thoughts?

    Thanks to whoever responds!!!

    -Mike
     
    HisNameWasRobertPaulson, Jan 15, 2004
    #1
    1. Advertisements

  2. :Hey gang, I am in need of pinging a host on the inside that is
    :translated via PAT.

    You can't do that.

    :Here is a partial config:

    :<--this is the host I want to ping (12.34.56.78)-->
    :static (inside,outside) tcp 12.34.56.78 ftp 10.10.1.5 ftp netmask
    :255.255.255.255

    If 12.34.56.78 is your outside IP address, you should be using the
    word 'interface' instead of the IP address.

    Anyhow, notice that you have defined a translation for tcp. You
    could have a different translation for udp for the same port number,
    and you could have other tcp or udp translations for different ports
    for the same IP. ping uses icmp, though, not tcp or udp, so static
    PAT is not usable to ping back in.

    If you need to be able to ping in, you will have to use a full static,
    allocating a full outside IP to the server, rather than using
    static PAT.
     
    Walter Roberson, Jan 15, 2004
    #2
    1. Advertisements

  3. Ya, I though that this was not possible, but figuered I would ask!
    The reason I used the ip address and not 'interface' is becuase I have
    multiple global addresses.

    Thanks for the reply,
    -Mike
     
    HisNameWasRobertPaulson, Jan 16, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.