PIX 515E_HELP Can not ping own interfaces

anis

I am trying to configure a pix 515E.

I have configured a pix firewall with the following commands (summary). Now, I can not ping any of my own interfaces. eg. inside or outside.


(Version

int e0
ip address 192.168.44.129 255.255.255.0
nameif outside
security_level 0

ent e1
ip address 192.168.1.1 255.255.255.0
nameif inside
security_level 100

After this configuration I tried to ping my interfaces, none of my interface is replying. Now, Plz some let me know what I must do? To my knowledge, this PIX was working fine.

DP.

kenny504

Have you tried the no ip keepalive command on the interfaces you are trying to ping. Also are you trying to ping from a host or the router itself?

hypnotoad

issued a no shut on those right? what version of PIX is it?

try #show ip int brief

anis

The version of my pix is 515E 8.0(2)

I am on PIX firewall through console. I used "no shut" along with those commands, still no reply. I think I am missing some basic configuration command.

However, I did not use "no ip keepalive". Do you think, this would help?

Thanks.

Netstudent

If the pix isn't physically connected to anything then the protocol will be down. By issueing the no keep on the interface, the protocol should come up because it isn't listening for keepalives to make the connection active.

anis

I connected a pc to the pix from both inside and outside and set ip address according to it. wever, the port was not up. Is it like, I have to put/allow anything? To my understanding I was suppose to be able to my own port after setting:
1. ip address.
2. name of the interface (inside/outside)
3. "shut down"
4. security level

However, when I connected by desktop from both inside and outside, the port was supposed to be blinking. But, it was not blinking.

Since new in PIX, I got confused what to do next. I am still confused what to do?

Thanks

Ahriakin

You need to allow ICMP, first for the PIX itself to respond to Pings to it's own interfaces and next for the ICMP replies to come back through your outside interface to the clients.

e.g.

ICMP PERMIT 192.168.1.0 255.255.255.0 INSIDE (allows ICMP to the inside interface of the PIX from any host in 192.168.1.0/24)
ICMP PERMIT ANY OUTSIDE (allows ICMP from any external host to the outside interface, if you do need to allow the outside to respond you can add command parameters to limit the responses allowed, just do a "?" instead of "OUTSIDE" to see the full list)


Next you want to allow inside hosts to ping or otherwise use ICMP safely to outside hosts
I like to use object groups to keep my access lists easier to manage so you could use the following to create a group with the safest and most useful ICMP traffic you want to allow to return to hosts on the inside from the outside:

object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded

Now on your outside access-list (say OUTSIDE-IN)
access-list OUTSIDE-IN permit icmp any 192.168.44.129 255.255.255.255 object-group icmp-allowed

dtlokee

Are you using cross over cables between the PC and the PIX? Is there an active link light?

You need to allow ICMP traffic to the PIX interfaces:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i1.html#wp1666637

anis

Cool..........I must say i am lucky to be in this forum. Its rare that i could solve a problem with a forum in a just one day.

Thanks everyone after allowing ICMP, my pix is just working fine.