7200emu.hacki.at Forum Index 7200emu.hacki.at
Dynamips, Dynagen and all that stuff
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
7200emu.hacki.at Forum Index

hackibr>

Unable to ping to outside interface

 
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> PEMU Configuration
View previous topic :: View next topic  
Author Message
manojtechnie



Joined: 29 Jun 2007
Posts: 12

PostPosted: Tue Jan 22, 2008 9:33 am    Post subject: Unable to ping to outside interface Reply with quote

Hi Friends,

I am new to learning Pix FW. I am having an issue trying to ping to the outside interface of the pix FW from my inside router RR01.

RR01 (inside) - pixfw - RR03 (outside)
Below is my FW config.

pixfw# show run
: Saved
:
PIX Version 7.2(3)
!
hostname pixfw
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
description connection to RR03
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface Ethernet1
description connection to RR01
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet2
description connection to DMZ
nameif DMZ
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list TEST extended permit ip any any
access-list inside extended permit ip any any
access-list outside extended permit ip any any
pager lines 24
logging console notifications
logging buffered alerts
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 200.200.200.5
nat (inside) 1 10.10.10.0 255.255.255.0
access-group inside in interface inside
access-group outside in interface outside
route inside 10.10.0.0 255.255.0.0 10.10.10.2 1
route outside 0.0.0.0 0.0.0.0 200.200.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:56d4eac27635ea786ad73a799d596ca1
: end
pixfw#




RR01#ping 10.10.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/124 ms

RR01#ping 200.200.200.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
RR01#

RR01#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 10.10.10.1


Plz help me know if i am doing anything wrong. Thanks in advance.

Best Regards,
Manoj
Back to top
View user's profile Send private message
thumpercisco



Joined: 28 Jun 2007
Posts: 889
Location: Chesapeake, VA

PostPosted: Tue Jan 22, 2008 1:32 pm    Post subject: Reply with quote

permit icmp (in,out)
if you still have problems post your .net file

_________________
"AIaO"

ThumperCisco


Back to top
View user's profile Send private message
manojtechnie



Joined: 29 Jun 2007
Posts: 12

PostPosted: Wed Jan 23, 2008 12:56 am    Post subject: Reply with quote

Hi,
Below is my .net config. I am not able to run that command. Its not recognized by the pix. Kindly suggest. Thanks!


autostart = false
[localhost]
[[3640]]
image = \PROGRA~1\Dynamips\images\c3640-ik9s-mz.122-46.bin
#idlepc = 0x60424a14
ram = 128
sparsemem = True

[[router RR01]]
model = 3640
F1/0 = FW1 e1
idlepc = 0x6036e360

[[router RR03]]
model = 3640
F1/0 = FW1 e0
idlepc = 0x6036e360

[[router DMZ]]
model = 3640
F1/0 = FW1 e2
idlepc = 0x6036e360

[pemu localhost]
[[525]]
image = C:\Documents and Settings\manoj.wadhwa\Desktop\pix723.bin
serial = 0x12345678
key = 0x00000000,0x00000000,0x00000000,0x00000000
[[fw FW1]]

Best Regards,
Manoj
Back to top
View user's profile Send private message
thumpercisco



Joined: 28 Jun 2007
Posts: 889
Location: Chesapeake, VA

PostPosted: Wed Jan 23, 2008 2:51 am    Post subject: Reply with quote

it is an access-list rule (like ip)
_________________
"AIaO"

ThumperCisco


Back to top
View user's profile Send private message
manojtechnie



Joined: 29 Jun 2007
Posts: 12

PostPosted: Wed Jan 23, 2008 5:22 am    Post subject: Reply with quote

Hi,

Not sure what has changed. I just tried to ping again using the same old config and it seems to be working fine. Thanks for your assistance.

Regards,
Manoj
Back to top
View user's profile Send private message
Cheetah1



Joined: 01 Feb 2011
Posts: 1

PostPosted: Tue Feb 01, 2011 4:54 am    Post subject: Reply with quote

hi,..You cannot ping the outside interface of a PIX or ASA from the inside because it does not allow this by default. What's happening is that you are sending a packet out the outside interface that's destined for itself, which the ASA prevents.

You could allow it with same-security-traffic permit inter-interface, but it is not a security best practice recommendation. There's no reason to allow people to do this. If you want people to be able to test the next hop outside the firewall, then let them ping through the ASA to the router or next hop destination.

thanks,..

_________________
ladies watches
women's watches
cheap watches
wrist watches
Back to top
View user's profile Send private message
learningccna



Joined: 19 Aug 2011
Posts: 3

PostPosted: Fri Aug 19, 2011 11:38 am    Post subject: Reply with quote

thumpercisco wrote:
it is an access-list rule (like ip)
good post, here many have good man, support very well






______________________
home solar panels
Accident Injury Attorney
Back to top
View user's profile Send private message
viktorz



Joined: 22 Mar 2012
Posts: 1

PostPosted: Thu Mar 22, 2012 7:24 am    Post subject: Reply with quote

too many DMZ it should be only one ))
астигматизм17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p
17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p
17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p
17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p
17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p
17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p
17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p
17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p17p


Last edited by viktorz on Mon Nov 09, 2015 4:26 pm; edited 1 time in total
Back to top
View user's profile Send private message
memoonamike



Joined: 11 Jun 2012
Posts: 89
Location: Pakistan

PostPosted: Thu Jul 19, 2012 6:38 am    Post subject: Reply with quote

I have read your post and found it very informative and useful for everyone and I would like to thankful to you for discussing this topic here and providing us such nice and useful information regarding to this topic. I really appreciate the effort of the members who make contribute in the PassCertification forum and in this discussion. I have learn many things from here and now I have the knowledge of many things which I don't know before. Thanks again
_________________
ExamsKey | Cisco CCNA Certification | Cisco CCIE Certification
Back to top
View user's profile Send private message Visit poster's website
adamsgill



Joined: 12 Dec 2012
Posts: 1

PostPosted: Mon Dec 24, 2012 11:20 am    Post subject: Locksmith Scotch Plains Reply with quote

We are a group of volunteers and opening a new scheme in our community. Your web site provided us with valuable info to work on. You have done an impressive job and our whole community will be thankful to you.
Locksmith Margate

_________________
Have you ever considered writing an e-book or guest authoring on other sites? <a href="http://www.BestMargateLocksmith.com">Locksmith Margate FL</a>
Back to top
View user's profile Send private message Visit poster's website
rgyaneewi



Joined: 07 Dec 2012
Posts: 2

PostPosted: Wed Dec 26, 2012 12:07 pm    Post subject: PEMU Configuration Reply with quote

i am also working on Pix FW and i also used the same commands and codes to ping to the outside interface and i works for me and every time i used it it works very well.

Newport News Locksmiths

_________________
Locksmith New Orleans
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> PEMU Configuration All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


 


Powered by phpBB © 2001, 2005 phpBB Group