1. Home
  2. Cisco Systems
  3. ping outside interface on pix

ping outside interface on pix

PIX Firewall Version 6.3(1)

hi, i need to ping my outside interface (1.2.3.4) from my lan (192.168.1.0/24) for monitoring purposes,

i have the following entries:

pixw(config)# sh access-list acl_inside | incl icmp access-list acl_inside line 45 permit icmp 192.168.1.0 255.255.255.0 any access-list acl_inside line 53 permit icmp any any

but I can not ping it,

I added: access-list acl_inside line icmp 192.168.1.0 255.255.255.0 interface outside

would that do the trick? I seem to remember, that pix doesn't allow ping to it's own interfaces - if that's the case, what would be a good workaround?

cheers, M

Reply to
mak
Loading thread data ...

This is not possible.

Reply to
Lutz Donnerhacke

interesting, is this documented anywhere? and what would be a workaround or how would you set this up?

again: I am pinging from _a host_ in the lan, not directly from my inside interface as in:

pixw# ping inside 1.2.3.4 1.2.3.4 NO response received -- 1000ms 1.2.3.4 NO response received -- 1000ms 1.2.3.4 NO response received -- 1000ms pixw#

thanks M

Reply to
mak

Ping the inside interface.

I know. The pix can only translate or receive the packet. Not both.

Reply to
Lutz Donnerhacke

thanks,

would it help to nat the internal host to a different outside ip than the interface ip?

thanks, M

Reply to
mak

No.

Reply to
Lutz Donnerhacke

Try this: Designate the outside interface as a management interface, and create an IPSec tunnel between it and some host on the inside (such as a box running freeswan, but you could probably use the Cisco client). That inside host would then be able to ping the outside interface.

formatting link

Reply to
Walter Roberson

This would cause the pix to stop forwarding packets from and to outside. Short: Loss of internet connectivity.

This will fail, because the IPSec tunnel is only terminated on the interface the packets are coming in. In this case: The inside interface.

The reason for this behavior is the same as the unavailibility to ping.

No.

Reply to
Lutz Donnerhacke

formatting link
thanks, I'll try that

Reply to
mak

Why would that happen? When you designate the inside interface as a management interface, does it stop forwarding packets to and from the inside?

Then how does it work for the case of an outside host given management interface access to the inside? There isn't anything special about inside or outside for this situation. You have a host with an IPSec tunnel to the "nearest" interface that is used to access the "further" interface; the PIX doesn't care whether "nearest" is "outside" with further "inside"; or if nearest is "inside" with further being "outside".

I haven't ever used management interface, but I *have* created IPSec tunnels to the "inside" interface.

Reply to
Walter Roberson

Because I mixed "management-access" with "management-only". Sorry.

IPSec has to be terminated on the nearest interface.

The suggestion was to set up an IPSec tunnel between the inside host and the outside interface.

Reply to
Lutz Donnerhacke

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.