anyone care to take a poke at this?
pix501(config)# sh access-list out_in access-list out_in; 5 elements access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0 interface outside object-group TCP-21-THRU-137 access-list out_in line 1 permit tcp 192.168.4.0 255.255.255.0 interface outside range ftp 137 (hitcnt=0) access-list out_in line 2 permit udp 192.168.4.0 255.255.255.0 interface outside eq netbios-ns (hitcnt=0) access-list out_in line 3 permit tcp any interface outside eq 24 (hitcnt=0) access-list out_in line 4 permit icmp interface outside any object-group ICMP_REP access-list out_in line 4 permit icmp interface outside any echo-reply (hitcnt=0) access-list out_in line 5 deny ip any any (hitcnt=13) pix501(config)#
pix501(config)# sh object-gr icmp-type object-group icmp-type ICMP_REP icmp-object echo-reply
pix501(config)# sh nat nat (inside) 0 access-list NAT0 nat (inside) 1 192.168.50.0 255.255.255.0 0 0
pix501(config)# sh icmp icmp permit any unreachable outside icmp permit any echo-reply outside icmp deny any outside pix501(config)# ping 64.233.167.104 64.233.167.104 response received -- 20ms 64.233.167.104 response received -- 40ms 64.233.167.104 response received -- 10ms
ip audit signature 2000 disable
here is the syslog entry from when I ping 64.233.167.104 from
192.168.50.7Sep 23 03:08:43 pix Sep 23 2005 09:57:31: %PIX-4-106023: Deny icmp src outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by access-group "out_in" Sep 23 03:08:44 pix Sep 23 2005 09:57:32: %PIX-4-106023: Deny icmp src outside:64.233.167.104 dst inside:6.6.3.9 (type 0, code 0) by access-group "out_in"
I can't ping google from 192.168.50.7. I can browse to it (and all other websites) but just can't ping. and no there is no fireall of any kind running on 192.168.50.7 that blocks anything.