Can't ping from either Internet or Inside

[NetworkDOC]

When you try and ping the pix interface or any of the translated IP's notta.

I have allowed (access-list outside permit icmp any any) this use to work before we changed carriers. I can't put my finger on it though. When I run debug icmp trace I see where a icmp packet hits my external IP from the outside source IP. I don't see any returns though.

There are static translations (again these were working fine before the change) that point to a few web servers and an ftp server.

an excerpt for my config cleaned out of course.

access-list outside permit icmp any any
access-list outside permit tcp any host x.x.x.164 eq www
access-list outside permit tcp any host x.x.x.165 eq www
access-list outside permit tcp any host x.x.x.167 eq 14000
access-list outside permit tcp any host x.x.x.163 eq www
access-list outside permit tcp any host x.x.x.163 eq smtp

static (inside,outside) x.x.x.163 10.1.1.2 netmask 255.255.255.255
static (DMZ,outside) x.x.x.164 10.10.10.7 netmask 255.255.255.255

The debug trace is:
376: ICMP echo-request from outside:x.x.x.223 to x.x.x.164 ID=1024 seq=30979 length=40
379: ICMP echo-request from outside:x.x.x.223 to x.x.x.164 ID=1024 seq=31235 length=40
392: ICMP echo-request from outside:x.x.x.162 to x.x.x.163 ID=36804 seq=56213 length=40

I don't see any replies. Just the requests.

Any ideas are appreciated...

 

[cambo2k]

What happens is you show the interfaces?
Are the interfaces enabled?

 

[NetworkDOC]

Yeah all other traffic flows fine. Web, mail, ftp everything else works good.

When I try and do a ping from the inside to the outside and debug I get this.
ICMP echo-request: translating inside:10.1.1.2/7676 to outside:X.X.X.169/15

 

[NetworkDOC]

Here is a debug for example. That shows (to me) that it is doing the translation fine. So the problem is outside?

This is a ping request from the inside to an external router with an IP address of .193.

ICMP echo-request from inside:10.10.10.248 to x.x.x.193 ID=512 seq=15557 length=72

This what appears to verify that it is translating it to the external ip address of .163

3581: ICMP echo-request: translating inside:10.10.10.248 to outside:x.x.x.163

 

[Supergrrover]

NetworkDoc,
I believe translations occur before it hits access lists. So you should see those. Have you tried a sniffer on the same segment as a system you are trying to ping to see if the traffic is getting through the pix (both sides?) Try turning on logging on that ACL element. It might give a better picture of what is going on. Can you ping from the pix both ways?
It's odd that changing carriers made this happen without any other changes.



Brent
Systems Engineer / Consultant
CCNP

 

[NetworkDOC]

Good suggestion.

I just tried to ping from the outside interface of the pix to an ip address on the Internet. Can't get there. I can however from the pix ping anything internally. This again makes me believe that it is the hop right outside the door of the pix (outside interface). This is an adtran router. I called the ISP to see if they were filtering ICMP on there, thesy said they weren't. I explained that the circumstances and it appears that all is well from the pix back.

I am heading over there in a few to put my laptop (sniffer) in place and try accessing it from the outside, if I can then it is without a doubt the adtran. If not, it's gotta be the PIX.

 

[Supergrrover]

Try to ping the adtran from the pix.
Remember is always their fault until they prove it's yours. ;-)


Brent
Systems Engineer / Consultant
CCNP

 

[NetworkDOC]

Well.... In my case I now think it's the PIX.

I plugged my laptop into the outside ports on the switch (switch is set with DMZ's for inside ports and outside ports etc). I gave my laptop an address of x.x.x.172 with the same mask etc and used the adtran as the gateway. I can ping fine to and from the laptop. I can do anything.

I then tried to ping x.x.x.164 (one of the translated addresses) and was not able to. I am now not going through the adtran at all. I am on the same segment. I cranked up the sniffer, I see the echo request go from my laptop to the pix. I also run a debug icmp trace. I see the same stuff I saw earlier.

Then I created a static for .171 and pointed it to a .212 internal IP. I moved my laptop to an internal port. I did a sniff as I tried to ping out and another when I had someone trying to ping in to the .171. The requests are not going through the pix.

This was working awhile ago. I began thinking what has changed other than the ISP. When I moved that we also got a second pix for failover. This one came with 6.3.5 . I flashed the image of the primary to the 6.3.5.

Tomorrow am I am going to try and flash it down to 6.3.4 and see if this somehow resolves it. Strange.... I can't say nothing else has changed, but however the basic access-list and translations have not changed. I had allowed them out before and they had worked as they do some remote testing to other sites periodically. They hadn't realized it was the firewall that had made them stop working.

I will keep you posted. It is strange but interesting too. I saw something like this once where the cable had a slight short in it. Some stuff went through and some didn't.

 

[Supergrrover]

Last try for things to check - Do you have
fixup icmp errors
in your config?

I added this and my pinging and traceroutes started to work.

Post whatever you find out. I am very curious.



Brent
Systems Engineer / Consultant
CCNP