PIX 525 connectiviy/routing problem

eeee
Topic Author
Offline
New Member

18 years 6 months ago #10739 by eeee

PIX 525 connectiviy/routing problem was created by eeee

hi,
I have a 525 PIX firewall running IOS 7.0. I can not ping through the firewall. Inside interface is conencted to a PC, I can ping it. Outside interface is conencted to a Cisco 3845 router, and I can ping it. But for some reason I can not ping cisco 3845 from PC. And I am not trying to do a NAT configuration. what am i missing here? Here is my config, any help appricated very much. thanks

PIX Version 7.0(1)
names
!
interface Ethernet0
duplex full
nameif OUTSIDE
security-level 0
ip address 10.168.253.253 255.255.255.252
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 10.168.2.2 255.255.255.0
!
enable password
passwd
hostname pixfirewall
domain-name default.domain.invalid
ftp mode passive
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
pager lines 24
logging enable
logging buffered informational
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
monitor-interface OUTSIDE
monitor-interface INSIDE
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat (INSIDE) 0 10.168.2.0 255.255.255.0
access-group OUTSIDE_IN in interface OUTSIDE
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.168.253.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.168.2.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet 10.168.2.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end

MaXiMuS
Offline
Senior Member

18 years 6 months ago #10741 by MaXiMuS

Replied by MaXiMuS on topic Re: PIX 525 connectiviy/routing problem

Add this line to your configuration and see if it works now

access-list OUTSIDE_IN extended permit icmp any

TheeGreatCornholio
Offline
Junior Member

18 years 6 months ago #10842 by TheeGreatCornholio

Replied by TheeGreatCornholio on topic Re: PIX 525 connectiviy/routing problem

MaXiMuS... the permit IP rule includes ICMP, so that wouldn't make a difference.

Sounds like a routing problem... does your Cisco router have a static route back to the INSIDE subnet via the PIX outside interface IP addres???

Add this to your router:

ip route 10.168.2.0 255.255.255.0 10.168.253.253

See if this does the trick.. if not, let me know and I'll dig deeper into your config.

tGc

Chris
Offline
Administrator

18 years 6 months ago #10843 by Chris

Replied by Chris on topic Re: PIX 525 connectiviy/routing problem

Great Cornholio,

Do are you sure the 'permit ip' access list includes the ICMP protocol ?

I never recall being able to do with with router IOS's. In other words, you need to create a specific 'permit icmp' access list entry to be able to allow such packets to pass through.

I'm not sure what the deal is with the new Pix v7;

Considering the Great Cornholio is correct regarding the access lists, then as he suggests, the addition of the indicated static route entry in the 3800 router should do the job.

On the other hand, if the 'permit ip' statement in the PIX operating system does NOT include the icmp protocol (which seems more logical to me), you'll need to create an access list entry to allow icmp packets to pass from the outside interface to the inside.

Whichever the case, do let us know if you managed to resolve the issue.

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx

benzy
Offline
New Member

18 years 6 months ago #10880 by benzy

Replied by benzy on topic Re: PIX 525 connectiviy/routing problem

hello,

If i understand this is the scenario---->

Router<

PIx

Pc

I can see you h ave the whole Ip Stack(icmp.udp,tcp) open on the outside interface..there fore this eliminates the possibility of return icmp getting blocked.

kindly do this-->

On Pix from config prompt type,

debug icmp trace

Now this would tell you whether the icmp reply for the request is actually coming back or not? if not

Then definitely either your router blockes the icmp or definitely not having the return route

Add this ;-

ip route 10.168.2.0 255.255.255.0 10.168.253.253

See if this helps !

eeee
Topic Author
Offline
New Member

18 years 6 months ago #10961 by eeee

Replied by eeee on topic Re: PIX 525 connectiviy/routing problem

I resolved this issue by placing a static route in the router;

ip route 10.168.2.0 255.255.255.0 10.168.253.253

it did the trick... thanks TheeGreatCornholio

here is the logs from pix

debug icmp trace enabled at level 1
ICMP echo request (len 32 id 512 seq 19712) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 19712) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 19968) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 19968) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 20224) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 20224) 10.168.253.254 > 10.168.2.10
ICMP echo request (len 32 id 512 seq 20480) 10.168.2.10 > 10.168.253.254
ICMP echo reply (len 32 id 512 seq 20480) 10.168.253.254 > 10.168.2.10