Re: pix strange problem, please help!!

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Tue Aug 19 2008 - 02:26:48 ART

• Next message: Truman Ford: "Re: pix strange problem, please help!!"
• Previous message: Roger RPF: "AW: AW: switch flowcontrol feature"
• Maybe in reply to: Truman Ford: "pix strange problem, please help!!"
• Next in thread: Truman Ford: "Re: pix strange problem, please help!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Your have enabled the IDS feature built-in to the PIX. This is blocking your
pings.

Do this:

ip audit signature* **2004 *disable

Regards

Farrukh

On Tue, Aug 19, 2008 at 8:00 AM, Truman Ford <truman.ccie@gmail.com> wrote:

> Hi Experts,
>
> I have faced a very strange problem with pix.
> The problem is that customer complained that he is not able to ping the
> inside IP of pix from the his LAN, but was able to do before.
> BUT able to ssh :).I checked in the pix that icmp is permited.
> As for troubleshooting, I directly connected the pix inside interface with
> the laptop with the same subnet ip of that pix inside, unfortunately not
> able to ping from laptop to inside ip of pix and viceversa.BUT able to do
> ssh from the laptop :) When I do the debug icmp in pix and ping the inside
> ip of pix from the directly connected laptop, I can see the following logs
> in the pix, where .2 is laptop ip address and .1 is pix inside ip address.
> Firewall is off in the laptop.
>
> Please help!!!!!!!!!!
>
>
> 400014: IDS:2004 ICMP echo request from 190.168.10.2 to 190.168.10.1 on
> interface inside
>
> 400014: IDS:2004 ICMP echo request from 190.168.10.2 to 190.168.10.1 on
> interface inside
>
> 400014: IDS:2004 ICMP echo request from 190.168.10.2 to 190.168.10.1 on
> interface inside
>
>
>
> PIX config (in short):
>
> PIX Version 6.3(5)127
> interface ethernet0 100full
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxx encrypted
> passwd xxxx encrypted
> hostname PIX
> domain-name pixfw
> clock timezone ist 12 30
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol ftp 18001
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
>
> access-list inside_access_in permit icmp any any echo
>
> access-group inside_access_in in interface inside
>
> ip address inside 190.168.10.1 255.255.255.0
>
> Thanks,
>
> Truman
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Truman Ford: "Re: pix strange problem, please help!!"
• Previous message: Roger RPF: "AW: AW: switch flowcontrol feature"
• Maybe in reply to: Truman Ford: "pix strange problem, please help!!"
• Next in thread: Truman Ford: "Re: pix strange problem, please help!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:31 ART