topic Re: Nested Firewalls in Network Security

Nested Firewalls

danbryan80 — Mon, 11 Mar 2019 22:54:54 GMT

I am not able to ping a public IP address of 4.2.2.2 from a device on my network. Does anyone have Ideas what could be preventing this?

A little about my network:

ISP > Pix 515 > Switch > Pix 501 > Device

Pix 515

outside dhcp setroute

inside(10.100.60.1/16)

Switch

--All Users except pix 501 are connected to it recieve an IP address and are able to ping 4.2.2.2

Pix 501

outside dhcp setroute

inside (172.16.0.1/24)

Pix recieved a 10.100.60.0 /16 address.

Pix is able to ping 10.100.60.1

Pix is NOT ABLE to ping 4.2.2.2

===PING TEST===

DansFW(config)# ping 10.100.60.1

10.100.60.1 response received -- 0ms

DansFW(config)# ping 4.2.2.2

4.2.2.2 NO response received -- 1000ms

===ROUTING INFO===

DansFW(config)# show route

outside 0.0.0.0 0.0.0.0 10.100.60.1 1 DHCP static

outside 10.100.0.0 255.255.0.0 10.100.60.23 1 CONNECT static

inside 172.16.0.0 255.255.255.0 172.16.0.1 1 CONNECT static

=====CONFIG ===

https://gist.github.com/2406839

Re: Nested Firewalls

Jouni Forss — Tue, 17 Apr 2012 16:43:35 GMT

Hi,

Since you have the PIX501 on the LAN and not directly facing the Internet can you try adding the command and try again.

icmp permit any outside

If you want to be more specific the command format is

icmp permit

- Jouni

Re: Nested Firewalls

danbryan80 — Tue, 17 Apr 2012 20:52:33 GMT

Thanks for the suggestion, but it appears to be the same.

DansFW(config)# icmp permit any outside

DansFW(config)# ping 4.2.2.2

4.2.2.2 NO response received -- 1000ms

DansFW(config)# ping 10.100.60.1

10.100.60.1 response received -- 0ms

Re: Nested Firewalls

Jouni Forss — Tue, 17 Apr 2012 23:18:52 GMT

Hi,

Have you enabled "inspect icmp" in the PIX515?

And have you also allowed ICMPs in the PIX515 access-list?

- Jouni

Re: Nested Firewalls

danbryan80 — Wed, 18 Apr 2012 14:29:50 GMT

Its a Pix 501, and it doesnt seem to support the command inspect. It is however passing data. I hooked a client up to it and the client is able to browse. Just ping seems to fail.

Re: Nested Firewalls

Jouni Forss — Wed, 18 Apr 2012 15:43:32 GMT

Hi,

I meant the PIX515 at the edge of the network. Aint the PIX501 behind it?

Though now that I think of it I guess you already have the "inspect icmp" rule enabled on the PIX515 if the hosts on its inside can ping the address you mentioned? Aint the users in the same network as PIX501 outside interface?

Have you been checking the logs on the PIX515 to see if theres any echo replies coming from the target IP address?

I'm not totally sure if an old PIX501 has any addiotional configurations needed to allow ICMP when your using its interface to ping something instead of a host behind it.

I think though that theres guides on how to configure the PIX to handle ICMP

Have you tried to attach an access-list on the outside interface of the PIX501 in the direction "in" and allowing ICMP to the outside interface? Or if you have an access-list already configured, add a permit line to it.

- Jouni