Routing (pinging) through the firewall 1

[spidermanfan]

Hello all,
I seem to have lost my mind on this one, here is the setup.
I have a server setting behind my firewall with a public IP address, let's say internal 172.30.10.10 and the external ip is 10.10.10.10.
Now here is the problem, I can ping 172.30.10.10 just fine, but I cannot ping 10.10.10.10 at all from behind the firewall, I can ping it outside the firewall just fine.

what could be wrong?

I have included my firewall config (I have changed some IP numbers for security reasons)

thanks in advance.


PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
no fixup protocol smtp 25
no names
access-list 100 permit ip 172.30.160.0 255.255.255.0 172.17.130.0 255.255.255.0
access-list 100 permit ip 172.30.160.0 255.255.255.0 172.17.254.0 255.255.255.0
access-list 100 permit ip 172.30.125.0 255.255.255.0 172.17.254.0 255.255.255.0
access-list 100 permit ip 172.30.180.0 255.255.255.0 172.17.254.0 255.255.255.0
access-list 100 permit ip 172.30.10.0 255.255.255.0 172.17.254.0 255.255.255.0
access-list 100 permit ip 172.30.160.0 255.255.255.0 172.17.120.0 255.255.255.0
access-list 100 permit ip 172.29.10.0 255.255.255.0 172.17.254.0 255.255.255.0
access-list 100 permit ip 172.29.10.0 255.255.255.0 172.17.120.0 255.255.255.0
access-list 101 permit ip 172.30.160.0 255.255.255.0 172.17.130.0 255.255.255.0
access-list 101 permit ip 172.29.10.0 255.255.255.0 172.17.130.0 255.255.255.0
access-list 102 permit ip 172.29.10.0 255.255.255.0 172.17.120.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
logging console debugging
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.128
ip address inside 172.30.160.5 255.255.255.0
ip local pool clientpool 172.17.254.1-172.17.254.254
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.128
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.10.15 172.30.160.15 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.10.14 172.30.160.14 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit deny tcp any eq irc any
conduit deny udp any eq 194 any
conduit permit tcp host 10.10.10.15 eq smtp any
conduit permit tcp host 10.10.10.15 eq

http://www any

conduit permit tcp host 10.10.10.14 eq smtp any
conduit permit tcp host 10.10.10.14 eq 22 any
conduit permit tcp host 10.10.10.14 eq 873 any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 172.29.0.0 255.255.0.0 172.30.160.1 1
route inside 172.30.0.0 255.255.0.0 172.30.160.1 1
route inside 172.31.0.0 255.255.0.0 172.30.160.1 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no floodguard enable
sysopt connection permit-ipsec
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address 101
crypto map remote 10 set peer xxx.xxx.xxx.xxx
crypto map remote 10 set transform-set myset
crypto map remote 11 ipsec-isakmp dynamic users
crypto map remote 12 ipsec-isakmp
crypto map remote 12 match address 102
crypto map remote 12 set peer xxx.xxx.xxx.xxx
crypto map remote 12 set transform-set myset
crypto map remote client configuration address initiate
crypto map remote client configuration address respond
crypto map remote interface outside
isakmp enable outside
isakmp key 55556666 address 0.0.0.0 netmask 0.0.0.0
isakmp key remote01 address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-config-mode
isakmp key remote02 address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-config-mode

isakmp identity address
isakmp client configuration address-pool local clientpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
terminal width 80

 

[themut]

Hello Spidermanfan,

You will not be able to ping the server from the inside using the public IP. If your dns server is on the outside you can overcome this issue using the alias command.

alias (inside) 172.30.10.10 10.10.10.10 255.255.255.255


If your dns server is on the inside then there is no way to overcome this issue. Hope this helps!

 

[havanajoe]

If I follow your initial question, you are trying to ping the external interface from inside your own network, is that right?

If so, you can't do it. It is denied because it is considered to be a 'Land Attack', from inside you can ping the internal interface, as well as the router's interface on the other side of the PIX.

client ----> pix -----> isp router ------> INTERNET