icmp errors, plz help 1

[ndog4ever]

i have gone mad chasing my tail with this icmp problem. I cannot ping any host outside with the pix nor can i ping any host once i VPN into the pix. I can connect to other services i just cannot ping. I have tried different scenarios using the ICMP command but i havent had any luck. I am going to post part of my config, if anyone has any suggestions plz feel free. Thanks!

here are my ACL's

access-list vpn; 1 elements
access-list vpn line 1 permit ip 192.168.0.0 255.255.255.224 192.168.1.0 255.255.255.224
access-list acl_inside; 16 elements
access-list acl_inside line 1 deny tcp any any eq 6667
access-list acl_inside line 2 deny udp any any eq 8998
access-list acl_inside line 3 deny udp any any eq 6667
access-list acl_inside line 4 deny udp any any eq 139
access-list acl_inside line 5 deny tcp any any eq 445
access-list acl_inside line 6 deny tcp any any eq 593
access-list acl_inside line 7 deny tcp any any eq 4444
access-list acl_inside line 8 deny tcp any any eq 138
access-list acl_inside line 9 deny udp any any eq netbios-dgm
access-list acl_inside line 10 deny tcp any any eq netbios-ssn
access-list acl_inside line 11 deny udp any any eq tftp
access-list acl_inside line 12 deny tcp any any eq 135
access-list acl_inside line 13 deny udp any any eq 135
access-list acl_inside line 14 deny tcp any any eq 137
access-list acl_inside line 15 deny udp any any eq netbios-ns
access-list acl_inside line 16 permit ip any any
access-list acl_outside; 8 elements
access-list acl_outside line 1 deny udp any any eq 99
access-list acl_outside line 2 deny udp any any eq 1434
access-list acl_outside line 3 deny tcp any any eq 6667
access-list acl_outside line 4 deny udp any any eq 6667
access-list acl_outside line 5 deny tcp any any eq 445
access-list acl_outside line 6 deny tcp any any eq 4444
access-list acl_outside line 7 deny tcp any any eq 593
access-list acl_outside line 8 permit ip any any

access-group acl_outside in interface outside
access-group acl_inside in interface inside

This is what i have for my ICMP statements

icmp permit any echo-reply outside
icmp permit any echo outside

 

[dopehead]

Where is your nat 0 acl ?

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[themut]

We need more info! Look at the FAQ for safe posting and try to post your configuration.

 

[ndog4ever]

well i just replaced a few lines in my config, mainly the public IP's. Let me know if this helps any. My nat 0 ACL is for the VPN.

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix_hostname
domain-name mydomain.local
clock timezone EST -5
clock summer-time EDT recurring 1 Sun May 2:00 last Sun Sep 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpn permit ip 192.168.0.0 255.255.255.224 192.168.1.0 255.255.255.224
access-list acl_inside deny tcp any any eq 6667 log
access-list acl_inside deny udp any any eq 8998
access-list acl_inside deny udp any any eq 6667
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq netbios-ssn
access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside permit ip any any
access-list acl_outside permit icmp any any
access-list acl_outside deny udp any any eq 99
access-list acl_outside deny udp any any eq 1434
access-list acl_outside deny tcp any any eq 6667
access-list acl_outside deny udp any any eq 6667
access-list acl_outside deny tcp any any eq 445
access-list acl_outside deny tcp any any eq 4444
access-list acl_outside deny tcp any any eq 593
access-list acl_outside permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered critical
logging trap errors
logging host inside server1 17/1400
no logging message 111001
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.160 255.255.255.128
ip address inside 192.168.0.1 255.255.255.224
ip audit name Outband-Attack attack action alarm drop
ip audit name Outband-Info info action alarm drop
ip audit name Inbound-Info info action alarm drop
ip audit name Inbound-Attack attack action alarm drop reset
ip audit interface outside Inbound-Info
ip audit interface outside Inbound-Attack
ip audit interface inside Outband-Info
ip audit interface inside Outband-Attack
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2004 disable
ip local pool vpnpool 192.168.1.1-192.168.1.30
pdm location server1 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.224 inside
pdm location xxx.xxx.xxx.5 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server xxx.xx.130.100 source outside
http server enable
http xx.xxx.xxx.5 255.255.255.255 outside
snmp-server host inside server1 trap
snmp-server location Main Office
no snmp-server contact
snmp-server community
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 100 set transform-set myset
crypto map mymap 100 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption aes-256
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400
vpngroup vpn100 address-pool vpnpool
vpngroup vpn100 dns-server columbus xxx.xxx.xxx.83
vpngroup vpn100 wins-server columbus
vpngroup vpn100 default-domain DM
vpngroup vpn100 split-tunnel vpn
vpngroup vpn100 idle-time 3000
vpngroup vpn100 password ********
telnet 192.168.0.0 255.255.255.224 inside
telnet 192.168.1.0 255.255.255.224 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
dhcpd address 192.168.0.4-192.168.0.28 inside
dhcpd dns columbus xxx.xxx.77.82
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain DM
dhcpd enable inside
terminal width 80
banner login **************************************
banner login Unauthorized Access is Prohibited
banner login **************************************
Cryptochecksum:2c26bc6930f01be04d35644a2f2198ca
: end

 

[themut]

You are not able to ping because you have configured the built-in IDS sensor (ip audit...), so when you ping the IDS thinks it is an attack and it blocks the ICMP traffic.

 

[ndog4ever]

arrrgh.... i am crazy for not thinking about that. thanks a lot. i disabled a few signatures and i am up and pinging away. thanks a bunch.