PIX 515E_HELP Can not ping own interfaces

anisanis Member Posts: 34 ■□□□□□□□□□
I am trying to configure a pix 515E.

I have configured a pix firewall with the following commands (summary). Now, I can not ping any of my own interfaces. eg. inside or outside.


(Version icon_cool.gif

int e0
ip address 192.168.44.129 255.255.255.0
nameif outside
security_level 0

ent e1
ip address 192.168.1.1 255.255.255.0
nameif inside
security_level 100

After this configuration I tried to ping my interfaces, none of my interface is replying. Now, Plz some let me know what I must do? To my knowledge, this PIX was working fine.

DP.

Comments

  • kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
    Have you tried the no ip keepalive command on the interfaces you are trying to ping. Also are you trying to ping from a host or the router itself?
    There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.
  • hypnotoadhypnotoad Banned Posts: 915
    issued a no shut on those right? what version of PIX is it?

    try #show ip int brief
  • anisanis Member Posts: 34 ■□□□□□□□□□
    The version of my pix is 515E 8.0(2)

    I am on PIX firewall through console. I used "no shut" along with those commands, still no reply. I think I am missing some basic configuration command.

    However, I did not use "no ip keepalive". Do you think, this would help?

    Thanks.
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    If the pix isn't physically connected to anything then the protocol will be down. By issueing the no keep on the interface, the protocol should come up because it isn't listening for keepalives to make the connection active.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • anisanis Member Posts: 34 ■□□□□□□□□□
    I connected a pc to the pix from both inside and outside and set ip address according to it. wever, the port was not up. Is it like, I have to put/allow anything? To my understanding I was suppose to be able to my own port after setting:
    1. ip address.
    2. name of the interface (inside/outside)
    3. "shut down"
    4. security level

    However, when I connected by desktop from both inside and outside, the port was supposed to be blinking. But, it was not blinking.

    Since new in PIX, I got confused what to do next. I am still confused what to do?

    Thanks
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    You need to allow ICMP, first for the PIX itself to respond to Pings to it's own interfaces and next for the ICMP replies to come back through your outside interface to the clients.

    e.g.

    ICMP PERMIT 192.168.1.0 255.255.255.0 INSIDE (allows ICMP to the inside interface of the PIX from any host in 192.168.1.0/24)
    ICMP PERMIT ANY OUTSIDE (allows ICMP from any external host to the outside interface, if you do need to allow the outside to respond you can add command parameters to limit the responses allowed, just do a "?" instead of "OUTSIDE" to see the full list)


    Next you want to allow inside hosts to ping or otherwise use ICMP safely to outside hosts
    I like to use object groups to keep my access lists easier to manage so you could use the following to create a group with the safest and most useful ICMP traffic you want to allow to return to hosts on the inside from the outside:

    object-group icmp-type icmp-allowed
    icmp-object echo-reply
    icmp-object source-quench
    icmp-object unreachable
    icmp-object time-exceeded

    Now on your outside access-list (say OUTSIDE-IN)
    access-list OUTSIDE-IN permit icmp any 192.168.44.129 255.255.255.255 object-group icmp-allowed
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Are you using cross over cables between the PC and the PIX? Is there an active link light?

    You need to allow ICMP traffic to the PIX interfaces:

    http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1666637
    The only easy day was yesterday!
  • anisanis Member Posts: 34 ■□□□□□□□□□
    Cool..........I must say i am lucky to be in this forum. Its rare that i could solve a problem with a forum in a just one day.

    Thanks everyone after allowing ICMP, my pix is just working fine.
Sign In or Register to comment.