From: Richard Mott (richpmott@xxxxxxxxxxx)
Date: Thu Jul 13 2000 - 09:43:18 GMT-3
Did you create a conduit to permit icmp any any?
Rich Mott
CCIE #5234 (R&S)(ISP/Dial)
Network Engineer
Jannon Solutions
>From: Vijay Venkatesh <vijay.venkatesh@usa.net>
>Reply-To: Vijay Venkatesh <vijay.venkatesh@usa.net>
>To: Earl Aboytes <earl@linkline.com>
>CC: "Stephens, Paul [Prof.Serv]" <Paul.Andrew.Stephens@compaq.com>,
>ccielab@groupstudy.com
>Subject: PIX routing and NAT issues
>Date: Thu, 13 Jul 2000 00:20:29 -0400
>
>Hi all,
> I am running PIX version 4.4. Here is the situation -
>
>ethernet0: (outside) interface -
>has a class c ip address with a /27 mask
>has a global ip pool for nat also with a /27 mask
>has a global ip (not part of the pool) for overload
>has a default route to the next hop router.
>
>ethernet 1 (inside) interface -
>has a 10.10.10.0 ip with a /24
>
>
>Hosts on the 10.10.10.0/24 net get natted to the outside. If I place
>a worksstion on the inside I can ping the inside interface of the PIX.
>If I place a w/s on the perimeter interface of the pix I can ping the
>outside interface of the pix. I cannot however ping from the w/s on
>the
>inside interface to any host on the outside interface. In fact, I
>cannot
>ping across the PIX !! I did a debug and I see the nat occuring and
>the
>nat table getting populated. Yes, I have checked the arp entries also.
>Everything looks good. However it appears that the icmp pkt reaches
>the
>host on the outer interface but the response does not return. Yes, I
>have set the conduit to allow icmp any any. AM I missing something
>here ? ALso I have the mtu and the auto statement also in.
>Yes, from the pix I can ping both outer and inner devices. I just
>cannot ping across the pix. The pix is routing but it appears that
>the pix does not know how to realy back the icmp response pkt by
>reading entries from the NAT table. ANy ideas ? Please let me know.
>Thank you.
>
>Regards,
>Vijay.
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:53 GMT-3