PIX and ICMP...

[jwi71]

I have created an ACL called test allowing averything through. I then applied this to the outside interface.

Result: I can ping the 32.x.y.z addresses from the PIX. The 32 network can ping to the PIX (outside interface). I cannot ping the 32.x.y.11 address. That is a static through which I hope to allow outside DNS servers to pull zone info from. For now, I want to test connectivity via ping and no go.
If I ping from inside host to 32.x.y.11, no go.

Here is the result of ICMP TRACE:

A ping from inside:
67: Outbound ICMP echo request (len 72 id 34821 seq 6254) 129.x.y.30 > 32.x.y.22 > 32.x.y.10

A ping from outside:
55: Inbound ICMP echo request (len 72 id 33776 seq 5789) 32.x.y.17 > 32.x.y.10 > 129.x.y.1

This may be a NAT issue, but dont know...

Here is the config:

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface gb-ethernet0 1000auto shutdown
interface gb-ethernet1 1000auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif gb-ethernet0 intf2 security4
nameif gb-ethernet1 intf3 security6
enable password L5ClXZrTVl3fPfMp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix003a
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list test remark --WIDE OPEN ACL FOR TESTING--
access-list test permit ip any any
access-list test permit icmp any any
access-list test permit tcp any any
access-list test permit udp any any
pager lines 24
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 32.x.y.10 255.255.255.224
ip address inside 129.x.y.21 255.255.255.224
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm history enable
arp timeout 14400
global (outside) 1 32.x.y.21-32.x.y.27
global (outside) 1 32.x.y.28
nat (inside) 1 129.x.0.0 255.255.0.0 0 0
static (inside,outside) 32.x.y.11 129.x.y.1 netmask 255.255.255.255 0 0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 32.x.y.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server ADMIN protocol tacacs+
aaa-server ADMIN (inside) host 129.x.y.18 il2ecic4ledx4t timeout 10
aaa authentication telnet console ADMIN
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 129.x.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Any ideas/help is appreciated.

 

[computerhighguy]

when you do a show xlate what are you getting?
Can the .11 computer on the inside ge to the internet (or beyond the firewall whichever case it may be)? At first glance the config seems OK. I have questions about the server on your inside interface.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[themut]

The problem is you are trying to ping the translated IP address... in order to do so you need the alias command or the "dns" keyword at the end of your static translation.

Alias command:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Dns keyword:

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Hope it helps!

 

[jwi71]

computerhighwayguy:
the static is created. I can clear xlate and then a show xlate...nothing, which is expected. I ping from the outside to .11 and run sh xlate...the static is created. Ping, of course, is a no go. I have provided the debug ICMP TRACE but Im no PIX guy so I dont completely follow it.
The server? Unix box running DNS. Nothing special about it.

themut:
Thanks for the reply but I want to ping 32.x.y.11 from the outside. I was attempting to ping from inside as part of my troubleshooting methodolgy. The eventual goal is to allow a secondary DNS on the outside to pull zone transfers from athe internal DNS box. But, if cant ping, no DNS will go.

Thanks

 

[themut]

Try to sniff the server to make sure the ICMP echo request is reaching the server and you can also see if the server is replying to the ICMP echo request.

 

[computerhighguy]

Does your server have multiple IP addresses or multiple NIC cards? I got to tell you that this is probably a server related issue. If the xlate is created and it doesn't work, then the PIX is probably seeing a security violation.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[jwi71]

thanx...for the help but there was in fact a unix firewall running on the unix dns box. It took a tcpdump on the box to find the issue...