topic PIX ping Internal subnet in Network Security

PIX ping Internal subnet

casaic2it — Tue, 12 Mar 2019 00:47:53 GMT

I have a network with multiple subnet, when I put the ip adress of pix as a gateway, I can not ping the others IP subnets, the ping to outside is correct, and the ping works in the same subnet. Internet connection works, my need is only permit ping between subnets when the inside IP the pix is used as a gateway? thank you for your help.

PIX ping Internal subnet

Jouni Forss — Wed, 16 Jan 2013 13:42:08 GMT

Hi,

If possible, can you share the PIX configurations and give example IP addresses for both source and destination of the ICMP/PING so we can correctly go through your configuration and determine the cause of the problem.

Most common reason would naturally be ACL rules, ICMP inspection/fixup, NAT configurations.

- Jouni

PIX ping Internal subnet

casaic2it — Wed, 16 Jan 2013 13:56:59 GMT

pixfirewall# sh run

: Saved

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol rtsp 10000-20000

fixup protocol rtsp 30000-40000

fixup protocol sip 5001

fixup protocol sip 5060

fixup protocol sip 5061

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.200.0 Avaya

name 208.65.153.251 youtube

object-group service Blocked-UDP-Ports udp

description All ports blocked for Bit Torrent UDP

port-object range 10001 65535

port-object range 1024 1193

port-object range 1195 9999

object-group service BitTorrent-Tracker tcp

description TCP Ports used by Bit Torrent for tracker communication

port-object eq 2710

port-object range 6881 6999

access-list 100 permit tcp any host 181.92.15.186 eq smtp

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any any eq 3230

access-list 100 permit tcp any any eq 3290

access-list 100 permit udp any any eq 3290

access-list 100 permit udp any any eq 3230

access-list 100 permit tcp any host 141.37.165.125 eq smtp

access-list 100 permit udp host 172.19.44.13 any eq domain

access-list 100 permit tcp host 172.19.44.13 any eq domain

access-list 100 permit tcp host 172.19.44.13 any eq smtp

access-list 100 permit tcp any host 141.37.165.123 eq www

access-list 100 permit tcp any host 141.37.165.123 eq smtp

access-list 100 permit udp host 172.19.44.173 any eq domain

access-list 100 permit tcp host 172.19.44.173 any eq www

access-list 100 permit tcp host 172.19.44.173 any eq smtp

access-list 100 permit tcp any host 172.19.44.173 eq www

access-list 100 permit udp any any eq 33434

access-list 100 permit tcp host 172.19.44.13 any eq pop3

access-list 10 deny ip 192.168.201.0 255.255.255.0 host 218.65.153.253

access-list 131 permit host 192.168.201.101

access-list 99 permit ip any host 78.37.108.14

access-list 99 permit ip host 178.37.18.14 any

access-list 99 permit tcp any host 141.37.65.125 eq www

access-list 99 permit icmp any any echo-reply

access-list 99 permit tcp any host 141.37.65.123 eq https

access-list 99 permit tcp any host 141.37.65.123 eq smtp

access-list 99 permit tcp any host 141.37.65.123 eq pop3

access-list 111 permit ip any any

access-list 111 permit icmp any any

no pager

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 198.122.235.17 255.255.255.252

ip address inside 172.19.44.253 255.255.252.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.2.3 255.255.255.255 inside

pdm location 192.168.201.251 255.255.255.255 inside

pdm location Avaya 255.255.255.0 inside

pdm location 18.15.153.238 255.255.255.255 outside

pdm location 18.15.153.253 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 41.13.165.125 172.19.44.173 netmask 255.255.255.255 0 0

static (inside,outside) 41.13.165.123 172.19.44.13 netmask 255.255.255.255 0 0

access-group 99 in interface outside

routing interface inside

route outside 0.0.0.0 0.0.0.0 196.12.235.118 1

route inside 10.0.44.0 255.255.252.0 172.19.44.254 2

route inside 10.0.52.0 255.255.252.0 172.19.44.254 1

route inside 10.148.242.0 255.255.255.0 172.19.44.254 1

route inside 10.148.242.10 255.255.255.255 172.19.44.254 1

route inside 172.19.48.0 255.255.252.0 172.19.44.254 1

route inside 192.168.57.0 255.255.255.0 172.19.44.254 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

floodguard enable

sysopt connection permit-pptp

sysopt connection permit-l2tp

pixfirewall#

the inside ip address is 172.19.44.251.

thx.

PIX ping Internal subnet

Jouni Forss — Wed, 16 Jan 2013 14:28:14 GMT

Hi,

I'm not sure if the "fixup protocol icmp" would help in this situation.

Usually with "newer" softwares (minimum 7.0 software on the PIX) this might be achieved with "same-security-traffic permit" commands since in your situation the traffic is first entering the PIX and then its supposed to continue back through the same interface to the other local subnet.

I'm not totally sure what the configuration format would be for 6.3 to get this working or if its even possible in this case. I might be able to test this at some point with some of our older PIX firewalls.

Best situation would ocfourse be if all the hosts were connected to the router behind the PIX firewall and routing between the local subnets were handled there. Now it seems you have one big subnet between the PIX and the LAN router.

So I'd imagine your main problem is the fact that PIX firewalls (and Cisco Firewalls in general) dont like a setup where the traffic enters and leaves the same interface. In this case the "inside"

- Jouni

PIX ping Internal subnet

casaic2it — Wed, 16 Jan 2013 15:51:55 GMT

yes, exactly.

thx a lot, i will wait your test. i have another asa 5510 with the same problem, i will test

same-security-traffic permit" command and let you know.

ICTMAN

PIX ping Internal subnet

Jouni Forss — Wed, 16 Jan 2013 15:54:31 GMT

Hi,

The command I mentioned isnt the full command.

There are 2 different settings you can enable on the firewall with proper software level.

They are

same-security-traffic permit inter-interface = This will enable traffic between interfaces with same "security-level" value
same-security-traffic permit intra-interface = This will enable traffic to enter and leave through the same interface

- Jouni