I've resolved this problem by putting ACLs in interface inside and outside:
access-list INSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit icmp any any
and I had to put a route in the router as well
ip route 10.168.2.2 <http://10.168.2.2> 255.255.255.0<http://255.255.255.0>
10.168.253.253 <http://10.168.253.253>
then it worked.
thanks
ee
---------- Forwarded message ----------
From: Ercan Elibol <ercanelibol@gmail.com>
Date: Oct 17, 2005 6:49 PM
Subject: PIX 525 No NATconfiguration
To: firewalls@securityfocus.com
hi,
I have a 525 PIX firewall running IOS 7.0. I can not ping through the
firewall. Inside interface is conencted to a PC, I can ping it from
firewall. Outside interface is conencted to a Cisco 3845 router, and I can
ping it from firewall. But for some reason I can not ping cisco 3845 from
PC. And I am not trying to do a NAT configuration. what am i missing here?
Here is my config, any help appricated very much. thanks
PIX Version 7.0(1)
names
!
interface Ethernet0
duplex full
nameif OUTSIDE
security-level 0
ip address 10.168.253.253 <http://10.168.253.253/>
255.255.255.252<http://255.255.255.252/>
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 10.168.2.2 <http://10.168.2.2/> 255.255.255.0<http://255.255.255.0/>
!
enable password
passwd
hostname pixfirewall
domain-name default.domain.invalid
ftp mode passive
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
pager lines 24
logging enable
logging buffered informational
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
monitor-interface OUTSIDE
monitor-interface INSIDE
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat (INSIDE) 0 10.168.2.0 <http://10.168.2.0/>
255.255.255.0<http://255.255.255.0/>
access-group OUTSIDE_IN in interface OUTSIDE
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/>
10.168.253.254 <http://10.168.253.254/> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.168.2.0 <http://10.168.2.0/> 255.255.255.0
<http://255.255.255.0/>INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet 10.168.2.0 <http://10.168.2.0/> 255.255.255.0
<http://255.255.255.0/>INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
here is the log info:
%PIX-6-609001: Built local-host OUTSIDE:10.168.253.254<http://10.168.253.254/>
%PIX-6-302020: Built ICMP connection for faddr
10.168.253.254/0<http://10.168.253.254/0>gaddr
10.168.2.10/512 <http://10.168.2.10/512> laddr
10.168.2.10/512<http://10.168.2.10/512>
%PIX-6-302021: Teardown ICMP connection for faddr 10.168.253.254/0
<http://10.168.253.254/0>gaddr 10.168.2.10/512 <http://10.168.2.10/512>laddr
10.168.2.10/512 <http://10.168.2.10/512>
%PIX-6-609002: Teardown local-host
OUTSIDE:10.168.253.254<http://10.168.253.254/>duration 0:00:02
%PIX-6-609001: Built local-host OUTSIDE:10.168.253.254<http://10.168.253.254/>
%PIX-6-302020: Built ICMP connection for faddr
10.168.253.254/0<http://10.168.253.254/0>gaddr
10.168.2.10/512 <http://10.168.2.10/512> laddr
10.168.2.10/512<http://10.168.2.10/512>
%PIX-6-302021: Teardown ICMP connection for faddr
10.168.253.254/0<http://10.168.253.254/0>gaddr
10.168.2.10/512 <http://10.168.2.10/512> laddr
10.168.2.10/512<http://10.168.2.10/512>
%PIX-6-609002: Teardown local-host
OUTSIDE:10.168.253.254<http://10.168.253.254/>duration 0:00:02
%PIX-6-609001: Built local-host OUTSIDE: 10.168.253.254<http://10.168.253.254/>
%PIX-6-302020: Built ICMP connection for faddr
10.168.253.254/0<http://10.168.253.254/0>gaddr
10.168.2.10/512 <http://10.168.2.10/512> laddr
10.168.2.10/512<http://10.168.2.10/512>
%PIX-6-302021: Teardown ICMP connection for faddr
10.168.253.254/0<http://10.168.253.254/0>gaddr
10.168.2.10/512 <http://10.168.2.10/512> laddr
10.168.2.10/512<http://10.168.2.10/512>
%PIX-6-609002: Teardown local-host
OUTSIDE:10.168.253.254<http://10.168.253.254/>duration 0:00:02
%PIX-6-609001: Built local-host OUTSIDE: 10.168.253.254<http://10.168.253.254/>
%PIX-6-302020: Built ICMP connection for faddr
10.168.253.254/0<http://10.168.253.254/0>gaddr
10.168.2.10/512 <http://10.168.2.10/512> laddr
10.168.2.10/512<http://10.168.2.10/512>
%PIX-6-302021: Teardown ICMP connection for faddr
10.168.253.254/0<http://10.168.253.254/0>gaddr
10.168.2.10/512 <http://10.168.2.10/512> laddr
10.168.2.10/512<http://10.168.2.10/512>
%PIX-6-609002: Teardown local-host
OUTSIDE:10.168.253.254<http://10.168.253.254/>duration 0:00:02
