topic Re: Noob question: IP routing [PIX515E] in Network Security

Noob question: IP routing [PIX515E]

nateleduc — Tue, 12 Mar 2019 01:21:45 GMT

Forgive me for I know this is probably Routing 101.

I know it has to do something with routing, but can't seem to figure out why it isn't working.

PIX Version 7.1(2)

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

I can't ping from 192.168.1.0 network. I can ping 192.168.0.2, but nothing past it. I'm having the same issue on my 2600.

Any advice?

Re: Noob question: IP routing [PIX515E]

Julio Carvajal — Sat, 30 Mar 2013 22:37:27 GMT

Hello Nathan,

So you cant ping from 192.168.1.0/24 to the internet right?

Add the following and let me know

fixup protocol ICMP

If it works then I will explain you know what you were missing

Regards

Re: Noob question: IP routing [PIX515E]

Jouni Forss — Sat, 30 Mar 2013 22:38:55 GMT

Hi,

If you want the 2 networks to communicate between eachother directly without any NAT then I would suggest adding the following configurations

ICMP Inspection

policy-map global_policy

class inspection_default

inspect icmp

NAT0 Between the Networks

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Allow ICMP from Outside to Inside

access-list OUTSIDE-IN permit icmp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group OUTSIDE-IN in interface outside

This should enable ICMP between both of the private networks. If you want something else done please clarify.

- Jouni

Re: Noob question: IP routing [PIX515E]

nateleduc — Sat, 30 Mar 2013 22:42:07 GMT

I have a a device (filter/NAT) at 192.168.0.1, I can't ping it from the 192.168.1.0 network. I have a NAT already set up, I don't want to have two setup unless it's needed.

Also adding "fixup protocol icmp " returned with

INFO: converting 'fixup protocol icmp ' to MPF commands

Still not able to

Re: Noob question: IP routing [PIX515E]

Jouni Forss — Sat, 30 Mar 2013 22:44:30 GMT

Hi,

The above configuration removes NAT between these 2 networks.

If you want that the LAN network of 192.168.1.0/24 isnt NATed at all to any destination network (and the router would do the actual NAT) then you can modify the above configuration like this

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 0 access-list INSIDE-NAT0

Because of you "security-level" values the traffic fron "inside" to "outside" should already be allowed.

If you want to confirm it with ACL you can always add

access-list INSIDE-IN remark Allow All Traffic from LAN

access-list INSIDE-IN permit ip 192.168.1.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

- Jouni

Re: Noob question: IP routing [PIX515E]

Jouni Forss — Sat, 30 Mar 2013 22:49:17 GMT

Also,

You dont have a default route configured though it shouldnt affect pinging directly connected networks

route outside 0.0.0.0 0.0.0.0 192.168.0.1

Though you naturally need it for any traffic headed off your network

- Jouni

Re: Noob question: IP routing [PIX515E]

Julio Carvajal — Sat, 30 Mar 2013 22:51:23 GMT

Hello,

Can you ping the default gateway or the device provided by your ISP IP address from the ASA itself??

Can you ping from a PC on the inside to the ASA inside interface?

Can you ping from a PC to the default gateway or the ISP IP device address?

Regards

Re: Noob question: IP routing [PIX515E]

nateleduc — Sat, 30 Mar 2013 23:46:51 GMT

Thank you all for the replies, I appreciate them all. Here is a what my network looks like

ISP

Eth0 - DHCP

Eth1 -192.168.0.1

eth0 - 192.168.0.2

eth1 - 192.168.1.1

eth0 - 192.168.1.2

eth1 - 192.168.3.1

I can ping 192.168.1.1 from the 2600, although I can't ping 192.168.0.2 or 192.168.0.1.

The filter (192.168.0.1) doesn't have any problems and passes through traffic no problem. I've tested it alone.

I added route outside 0.0.0.0 0.0.0.0 192.168.0.1 in the PIX515E

From the PIX I can ping 192.168.0.1 and 192.168.1.2.

From the 2600 I can ping 192.168.1.1 but not 192.168.0.2

confusion, confusion everywhere.

Re: Noob question: IP routing [PIX515E]

Jouni Forss — Sat, 30 Mar 2013 23:55:36 GMT

Hi,

To my understanding you shouldnt be able to PING an PIX interface IP address from behind anywhere else other than that said interface. That is why your statement that you can ping the 192.168.0.2 from the 2600 seems strange to me.

If you have one more network behind the PIX you will naturally need a route for it on the PIX also

route inside 192.168.3.0 255.255.255.0 192.168.1.2

Also you would have to make NAT0 rules for that network also just like with the 192.168.1.0/24 network.

Though if I understood you correctly this wasnt the problem.

I would check that all the needed static routes are in place and that you have done the above suggest configurations. Maybe you can copy/paste your current configuration here again.

- Jouni

Message was edited by: Jouni Forss

Re:Noob question: IP routing [PIX515E]

Julio Carvajal — Sun, 31 Mar 2013 00:20:34 GMT

Hello,

Sorry folk I just dont get it. Is there a way you could set a diagram so Jounni and I can have a better picture of how your network look like...

Re: Noob question: IP routing [PIX515E]

nateleduc — Sun, 31 Mar 2013 04:53:49 GMT

This should do, see attached.

From the PIX I can ping 192.168.0.1 and 192.168.1.2.

From the 2600 I can ping 192.168.1.1 but not 192.168.0.2

Pretty much ignore the 192.168.2.X network for now. I'll get to that later.

Re: Noob question: IP routing [PIX515E]

nateleduc — Sun, 31 Mar 2013 04:55:18 GMT

for the 2600:

Building configuration...

Current configuration : 695 bytes

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname 2600

boot-start-marker

boot-end-marker

enable secret 5 $1$bmO1$/LuQ62za7Clv79MMfG1FR/

enable password cisco2600

no aaa new-model

ip subnet-zero

no ip routing

no ip cef

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

no ip route-cache

speed auto

half-duplex

no cdp enable

interface FastEthernet1/0

ip address 192.168.3.1 255.255.255.0

no ip route-cache

duplex auto

speed auto

no cdp enable

ip http server

ip classless

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password ******

end

and the PIX

Building configuration...

Current configuration : 695 bytes

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname 2600

boot-start-marker

boot-end-marker

enable secret 5 $1$bmO1$/LuQ62za7Clv79MMfG1FR/

enable password cisco2600

no aaa new-model

ip subnet-zero

no ip routing

no ip cef

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

no ip route-cache

speed auto

half-duplex

no cdp enable

interface FastEthernet1/0

ip address 192.168.3.1 255.255.255.0

no ip route-cache

duplex auto

speed auto

no cdp enable

ip http server

ip classless

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password *******

end

For the PIX515E

: Saved

PIX Version 7.1(2)

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

interface Ethernet0

duplex full

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

Re: Noob question: IP routing [PIX515E]

Julio Carvajal — Sun, 31 Mar 2013 07:20:14 GMT

Hello Nathan,

From the 2600 you should be able to ping 192.168.0.1, Are you able to do it???

You will never be able to ping 192.168.0.2 as it's a far end interface,

"For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network."

Source: http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html

Now you need to add the following:

On the PIX:

policy-map global_policy

class inspection_default

inspect icmp

exit

route outside 0 0 Default_gateway_ip_address

On the 2600

ip routing

Ip route 0 0 192.168.1.1

interface fast 0/0

ip route-cache

interface fast 1/0

ip route-cache

Regards

Noob question: IP routing [PIX515E]

nateleduc — Sun, 31 Mar 2013 15:57:20 GMT

I'm removing the 2600, as it doesn't serves a purpose anymore. I still cannot ping 192.168.0.2. Here is my current config

: Saved

PIX Version 7.1(2)

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

interface Ethernet0

duplex full

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 192.168.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

From my workstation I can ping 192.168.1.1 , but nothing further

Re: Noob question: IP routing [PIX515E]

Jouni Forss — Sun, 31 Mar 2013 16:06:05 GMT

Hi,

Have you tried addint the NAT0 rules I suggested originally?

I mean the rules that will tell the PIX that it isnt supposed to do any NAT on the traffic. From what I understood the device infront of the PIX handles the NAT

So lets say you want the network 192.168.1.0/24 to go through the PIX wihtout any NAT then you could configure this

access-list INSIDE-NAT0 remark NO NAT for LAN network

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 0 access-list INSIDE-NAT0

If I understood the situation correctly you now only have the switch and workstation(s) behind the PIX "inside" interface? If there is only the network 192.168.1.0/24 behind the PIX then that above NAT0 configuration should be enough.

Also your default route shouldnt point to the device itself

no route outside 0.0.0.0 0.0.0.0 192.168.0.2 1

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

And as I and Julio have said. You will never be able to ping the PIX "outside" interface IP address from behind the "inside" of the PIX.

- Jouni

Noob question: IP routing [PIX515E]

nateleduc — Sun, 31 Mar 2013 16:24:55 GMT

Just to be clear, I will won't be able to ping 192.168.0.2, although I should be able to ping 192.168.0.1

I added the above with no luck:

: Saved

PIX Version 7.1(2)

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

interface Ethernet0

duplex full

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

access-list INSIDE-NAT0 remark NO NAT for LAN network

access-list INSIDE-NAT0 extended permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list INSIDE-NAT0

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

"If I understood the situation correctly you now only have the switch and workstation(s) behind the PIX "inside" interface? If there is only the network 192.168.1.0/24 behind the PIX then that above NAT0 configuration should be enough."

~Correct, the network is as follows

Filter <-> PIX515E <-> switch

with the switch being on the 192.168.1.0/24 network

FYI, I can't ping anything past 192.168.1.1

Re: Noob question: IP routing [PIX515E]

Jouni Forss — Sun, 31 Mar 2013 16:28:44 GMT

Ok,

At the moment I dont see a reason for this in the PIX configuration.

Could you make sure that the Filter Device has a route for the network 192.168.1.0/24 pointing towards 192.168.0.2?

This is because when a host from the address for example 192.168.1.100 sends ICMP to 192.168.0.1 there will be NO NAT as we configured. Therefore the Filter Device will need to have a return route for the ICMP traffic

So could you make sure that the Filter Device has a route for 192.168.1.0/24 pointing towards the PIX "outside" interface IP 192.168.0.2

- Jouni

Noob question: IP routing [PIX515E]

nateleduc — Sun, 31 Mar 2013 16:37:36 GMT

Forgive me for my ignorance, But the filter works fine on its own, meaning if I plug up a workstation to eth1 (192.168.0.1) and give it a static IP it passes throguh traffic and responds to pings.

Okay so basicly I need to ssh into my filter and add a return path to the 192.168.1.x network correct?

What I'm getting at is possible a triangular routing problem

Re: Noob question: IP routing [PIX515E]

Jouni Forss — Sun, 31 Mar 2013 16:45:47 GMT

Hi,

If you have a host directly connected to the Filter Device (which to my understanding is your Internet edge device) then there is naturally no problem with the connectivity of the host and the Filter Device as they are connected to the same network 192.168.0.0/24. They both see the network as directly connected so naturally they can communicate.

Now when you have added the PIX to the setup and you have an additional network of 192.168.1.0/24 behind the PIX then naturally the Filter Device needs to have a route for the network 192.168.1.0/24 because otherwise it is just going to forward all traffic towards its default route which I imagine is the default route to the Internet/ISP

So to my understanding if you dont already have a route for the network 192.168.1.0/24 configured on the Filter Device then you have to add that to the device and point that route towards the PIX "outside" interface IP address of 192.168.0.2. Otherwise the traffic simply wont work from the workstation to the Filter Device WHEN the PIX is connected to the network.

- Jouni

Re: Noob question: IP routing [PIX515E]

Julio Carvajal — Sun, 31 Mar 2013 17:27:16 GMT

Hello Nathan,

Agree with Jouni,

It got to be that the Filter device does not have a route back to you,

If by any chance you do not know how to create a route on that layer 3 device do the following and let us know

nat (inside) 1 0 0

global (outside) 1 interface

With this all traffic being source from the Inside interface when reaching another host on the outside interface it will look like the outside interface IP address, then the filter will be able to route the traffic back as it knows where the outside interface it's ( On one of it's directly connected networks)

Regards