09186a0080094e8a.shtml#pingown Look at that link watchout for word wrap. Hope it helps. You have to enable ping terminating on a pix interface.
-----Original Message----- From: Tunji Suleiman [mailto:tunjisule@;hotmail.com] Sent: Sunday, November 10, 2002 9:39 AM To: [EMAIL PROTECTED] Subject: Problem pinging from inside thru PIX to outside [7:57188] Hi Group, I am trying to deploy a VPN solution and ran into a seemingly simple problem which I cant seem able to resolve. I terminated the radio link from the ISP on fa0/0 of my Cisco 2621 router. I connected fa0/1 of 2621 to e0/0, the outside of my PIX 506 by cross cable and connected e0/1, the inside of PIX to LAN switch. The inside network has address 10.240.77.0/24 and the VPN is between Exchange server at 10.240.77.3 and the larger 10.240.0.0 network. The ISP has assigned me the following IP addresses 66.135.55.171, .172, .173 and .174 from a subnet with mask 255.255.255.192. So I assigned .171 to fa0/1 - inside of 2621, .172 to e0/0 - outside of PIX, .173 as global on PIX for PAT and reserved .174 for a future VG. I wanted to put the config thru its paces by pinging round the PIX. For testing, I had entered on the PIX: conduit permit ICMP any any access-list aclout permit icmp any any access-list aclin permit icmp any any access-group aclout in interface outside When I tried to apply aclin for outbound icmp, with the command: access-group aclin out interface inside the PIX responded with: Type help or '?' for list of available commands. When I repeated the command with ? at the end, the PIX responded with: usage: [no] access-group in interface inside It seemed the PIX only requires permitting inbound ICMP from the outside. So I proceeded with the pings. My output is below: >From Router: NB: pixout, pixin and exchange are host entries on router for PIX outside interface, PIX inside interface and exchange server with IP addresses 66.135.55.172, 10.240.77.1 and 10.240.77.3 respectively. MyRouter#ping pixout Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 66.135.55.172, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms MyRouter#ping pixin Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.240.77.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms MyRouter#ping exchange Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.250.77.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms >From PIX: NB: I used on the pix for name-to-IP address mapping the following: names name 66.135.55.171 gateway name 10.240.77.3 exchange PIX# ping gateway gateway response received -- 0ms gateway response received -- 0ms gateway response received -- 0ms PIX# ping exchange exchange response received -- 0ms exchange response received -- 0ms exchange response received -- 0ms PIX# >From Exchange: C:\>ping 10.240.77.1 Pinging 10.240.77.1 with 32 bytes of data: Reply from 10.240.77.1: bytes=32 timeping 66.135.55.171 Pinging 66.135.55.171 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 66.135.55.171: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\>ping 66.135.55.172 Pinging 66.135.55.172 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 66.135.55.172: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\> I can ping from the router thru the PIX to the Exchange server in the inside network, from the PIX all around, from the Exchange to the PIX inside interface but not from Exchange to the PIX outside interface and to the router. I know it gotta be something simple, but cant seem able to figure it out. The PIX is 506E version 6.1(2). I will appreciate greatly if somebody will just point to me what I'm missing. TIA. _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57189&t=57188 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
