- Posts: 9
- Thank you received: 0
PIX 525 connectiviy/routing problem
19 years 2 months ago #10739
by eeee
PIX 525 connectiviy/routing problem was created by eeee
hi,
I have a 525 PIX firewall running IOS 7.0. I can not ping through the firewall. Inside interface is conencted to a PC, I can ping it. Outside interface is conencted to a Cisco 3845 router, and I can ping it. But for some reason I can not ping cisco 3845 from PC. And I am not trying to do a NAT configuration. what am i missing here? Here is my config, any help appricated very much. thanks
PIX Version 7.0(1)
names
!
interface Ethernet0
duplex full
nameif OUTSIDE
security-level 0
ip address 10.168.253.253 255.255.255.252
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 10.168.2.2 255.255.255.0
!
enable password
passwd
hostname pixfirewall
domain-name default.domain.invalid
ftp mode passive
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
pager lines 24
logging enable
logging buffered informational
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
monitor-interface OUTSIDE
monitor-interface INSIDE
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat (INSIDE) 0 10.168.2.0 255.255.255.0
access-group OUTSIDE_IN in interface OUTSIDE
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.168.253.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.168.2.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet 10.168.2.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
I have a 525 PIX firewall running IOS 7.0. I can not ping through the firewall. Inside interface is conencted to a PC, I can ping it. Outside interface is conencted to a Cisco 3845 router, and I can ping it. But for some reason I can not ping cisco 3845 from PC. And I am not trying to do a NAT configuration. what am i missing here? Here is my config, any help appricated very much. thanks
PIX Version 7.0(1)
names
!
interface Ethernet0
duplex full
nameif OUTSIDE
security-level 0
ip address 10.168.253.253 255.255.255.252
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 10.168.2.2 255.255.255.0
!
enable password
passwd
hostname pixfirewall
domain-name default.domain.invalid
ftp mode passive
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
pager lines 24
logging enable
logging buffered informational
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
monitor-interface OUTSIDE
monitor-interface INSIDE
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat (INSIDE) 0 10.168.2.0 255.255.255.0
access-group OUTSIDE_IN in interface OUTSIDE
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.168.253.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.168.2.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet 10.168.2.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
19 years 2 months ago #10741
by MaXiMuS
Replied by MaXiMuS on topic Re: PIX 525 connectiviy/routing problem
Add this line to your configuration and see if it works now
access-list OUTSIDE_IN extended permit icmp any
access-list OUTSIDE_IN extended permit icmp any
- TheeGreatCornholio
- Offline
- Junior Member
Less
More
- Posts: 24
- Thank you received: 0
19 years 1 month ago #10842
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: PIX 525 connectiviy/routing problem
MaXiMuS... the permit IP rule includes ICMP, so that wouldn't make a difference.
Sounds like a routing problem... does your Cisco router have a static route back to the INSIDE subnet via the PIX outside interface IP addres???
Add this to your router:
ip route 10.168.2.0 255.255.255.0 10.168.253.253
See if this does the trick.. if not, let me know and I'll dig deeper into your config.
tGc
Sounds like a routing problem... does your Cisco router have a static route back to the INSIDE subnet via the PIX outside interface IP addres???
Add this to your router:
ip route 10.168.2.0 255.255.255.0 10.168.253.253
See if this does the trick.. if not, let me know and I'll dig deeper into your config.
tGc
19 years 1 month ago #10843
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: PIX 525 connectiviy/routing problem
Great Cornholio,
Do are you sure the 'permit ip' access list includes the ICMP protocol ?
I never recall being able to do with with router IOS's. In other words, you need to create a specific 'permit icmp' access list entry to be able to allow such packets to pass through.
I'm not sure what the deal is with the new Pix v7;
Considering the Great Cornholio is correct regarding the access lists, then as he suggests, the addition of the indicated static route entry in the 3800 router should do the job.
On the other hand, if the 'permit ip' statement in the PIX operating system does NOT include the icmp protocol (which seems more logical to me), you'll need to create an access list entry to allow icmp packets to pass from the outside interface to the inside.
Whichever the case, do let us know if you managed to resolve the issue.
Cheers,
Do are you sure the 'permit ip' access list includes the ICMP protocol ?
I never recall being able to do with with router IOS's. In other words, you need to create a specific 'permit icmp' access list entry to be able to allow such packets to pass through.
I'm not sure what the deal is with the new Pix v7;
Considering the Great Cornholio is correct regarding the access lists, then as he suggests, the addition of the indicated static route entry in the 3800 router should do the job.
On the other hand, if the 'permit ip' statement in the PIX operating system does NOT include the icmp protocol (which seems more logical to me), you'll need to create an access list entry to allow icmp packets to pass from the outside interface to the inside.
Whichever the case, do let us know if you managed to resolve the issue.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
19 years 1 month ago #10880
by benzy
Replied by benzy on topic Re: PIX 525 connectiviy/routing problem
hello,
If i understand this is the scenario---->
Router<
PIx
Pc
I can see you h ave the whole Ip Stack(icmp.udp,tcp) open on the outside interface..there fore this eliminates the possibility of return icmp getting blocked.
kindly do this-->
On Pix from config prompt type,
debug icmp trace
Now this would tell you whether the icmp reply for the request is actually coming back or not? if not
Then definitely either your router blockes the icmp or definitely not having the return route
Add this ;-
ip route 10.168.2.0 255.255.255.0 10.168.253.253
See if this helps !
If i understand this is the scenario---->
Router<
PIx
Pc
I can see you h ave the whole Ip Stack(icmp.udp,tcp) open on the outside interface..there fore this eliminates the possibility of return icmp getting blocked.
kindly do this-->
On Pix from config prompt type,
debug icmp trace
Now this would tell you whether the icmp reply for the request is actually coming back or not? if not
Then definitely either your router blockes the icmp or definitely not having the return route
Add this ;-
ip route 10.168.2.0 255.255.255.0 10.168.253.253
See if this helps !
19 years 1 month ago #10961
by eeee
Replied by eeee on topic Re: PIX 525 connectiviy/routing problem
I resolved this issue by placing a static route in the router;
ip route 10.168.2.0 255.255.255.0 10.168.253.253
it did the trick... thanks TheeGreatCornholio
here is the logs from pix
debug icmp trace enabled at level 1
ICMP echo request (len 32 id 512 seq 19712) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 19712) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 19968) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 19968) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 20224) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 20224) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 20480) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 20480) 10.168.253.254 > 10.168.2.10
ip route 10.168.2.0 255.255.255.0 10.168.253.253
it did the trick... thanks TheeGreatCornholio
here is the logs from pix
debug icmp trace enabled at level 1
ICMP echo request (len 32 id 512 seq 19712) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 19712) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 19968) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 19968) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 20224) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 20224) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 20480) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 20480) 10.168.253.254 > 10.168.2.10
Time to create page: 0.148 seconds