topic Issue w/ allowing ping through PIX Firewall 515E - No NAT needed in Network Security

Issue w/ allowing ping through PIX Firewall 515E - No NAT needed

SamanthaDS — Mon, 11 Mar 2019 18:49:33 GMT

Hello,

I have a Cisco PIX firewall 515E version 6.3 connected on one interface (eth1) to a linux PC (200.0.10.5 in subnet 200.0.10.0/24) and on the other (eth0) to a SoHo router (interface IP 200.0.11.2 in network 200.0.11.0/24 - behind the router is the network 200.0.12.0/24). I would like to allow ping through it and I don't want to perform NAT.

So I went on Cisco.com and did exactly what is described here: T wo interfaces without NAT... but I doesn't work.

Here is my config:

pixfirewall# sh ru
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 200.0.11.1 255.255.255.0
ip address inside 200.0.10.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
nat (inside) 0 200.0.11.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 200.0.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a6a630892bef2247cecfd7667cf871a9
: end

The LINK llights are ON.
The router is, I believe, properly configured.
Help please ?

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Namit Agarwal — Mon, 04 Oct 2010 12:36:42 GMT

Hi Samantha,

Do you want the pings to be initiated only from one of the networks. Or you want the 200.0.10.0/24 to be able to ping 200.0.11.0/24 and 200.0.12.0/24 and vice versa.

Thanks,

Namit

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 12:42:21 GMT

Hi Namit,

I would like to allow icmp resquest (and replies) in both ways.

Thanks in advance for your help.

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Shilpa Gupta — Mon, 04 Oct 2010 12:45:27 GMT

Hi,

You can try configuring nat exempt as follows:-

access-list nonat permit ip 200.0.10.0 255.255.255.0 200.0.12.0 255.255.255.0

nat (inside) 0 access-list nonat

As for the traffic coming from low security level to high i.e from 200.0.12.0 network to 200.0.10.0 , you need to specify an access-list on the outside interface which allows the traffic from 200.0.12.0 to 200.0.10.0.

Also add "fixup protocol icmp " to allow the reply traffic when its gets initiated from high to low.

Following are command refrence links:-

NAT

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

Access-list

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

I hope it helps.

Thanks,

Shilpa

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Namit Agarwal — Mon, 04 Oct 2010 12:46:43 GMT

Hi Samantha,

The default behavior of the firewall is that the Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default.So to be able to allow the ping from the network behind the outside interface we need a matching NAT statement and an ACL (which is already in place using conduit ). Please take a look at the following link, hope it helps http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic3

Cheers,

Namit

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 13:12:07 GMT

Hi again,

Refering to your link I saw I missed the static line entry... As I don't perform NAT I added this to my config:

static (inside,outside) 200.0.10.5 200.0.10.5 netmask 255.255.255.255 0 0

Unfortunatly it still doesn't work... Any other clue ?
Thanks.

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 13:13:23 GMT

Hi Shilpa,

I tired your solution as well but it still doesn't work...

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Namit Agarwal — Mon, 04 Oct 2010 13:21:14 GMT

Hi Samantha,

Please run the following command on the PIX "debug icmp trace" when you initiate pings and paste the output.

Thanks,

Namit

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Shilpa Gupta — Mon, 04 Oct 2010 13:22:32 GMT

Hi,

If you have added the static command for 200.0.10.0 network, could you please try add static command for 200.0.12.0 netwok on the device.

and also are you performing any kind of nat on router?

Thanks,

Shilpa

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 13:31:25 GMT

So I ran the "debug icmp trace" command and here is what happenned.

When I tried to ping from the inside (from 200.0.10.5) to the firewall interfaces (200.0.10.1 and 200.0.11.1) or the router (200.0.11.2), nothing appeared on the firewall console.

After that I tried to ping from the firewall and this appeared on the console :

pixfirewall(config)# debug icmp trace
ICMP trace on
Warning: this may cause problems on busy networks
pixfirewall(config)# ping 200.0.10.5
1: ICMP echo request (len 32 id 9233 seq 0) 200.0.10.1 > 200.0.10.5
        200.0.10.5 NO response received -- 1000ms
2: ICMP echo request (len 32 id 9233 seq 1) 200.0.10.1 > 200.0.10.5
        200.0.10.5 NO response received -- 1000ms
3: ICMP echo request (len 32 id 9233 seq 2) 200.0.10.1 > 200.0.10.5
        200.0.10.5 NO response received -- 1000ms
pixfirewall(config)# ping 200.0.12.1
4: ICMP echo request (len 32 id 9233 seq 0) 200.0.11.1 > 200.0.12.1
        200.0.12.1 NO response received -- 1000ms
5: ICMP echo request (len 32 id 9233 seq 1) 200.0.11.1 > 200.0.12.1
        200.0.12.1 NO response received -- 1000ms
6: ICMP echo request (len 32 id 9233 seq 2) 200.0.11.1 > 200.0.12.1
        200.0.12.1 NO response received -- 1000ms
pixfirewall(config)# ping 200.0.11.2
7: ICMP echo request (len 32 id 9233 seq 0) 200.0.11.1 > 200.0.11.2
        200.0.11.2 NO response received -- 1000ms
8: ICMP echo request (len 32 id 9233 seq 1) 200.0.11.1 > 200.0.11.2
        200.0.11.2 NO response received -- 1000ms
9: ICMP echo request (len 32 id 9233 seq 2) 200.0.11.1 > 200.0.11.2
        200.0.11.2 NO response received -- 1000ms

I have to add that I cleared the arp table of the firewall and whenever I tried to ping from the inside, the arp table is updated with new entries (even though I don't receive icmp replies).

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 13:35:25 GMT

I don't perform NAT on the router.

I'm not sure to understand your proposition about the static command... the only thing I added so far was for the host 200.0.10.5

static (inside,outside) 200.0.10.5 200.0.10.5 netmask 255.255.255.255 0 0

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Namit Agarwal — Mon, 04 Oct 2010 13:36:59 GMT

Hi Samantha,

Please add the following commands and try

icmp permit 0 0 outside

icmp permit 0 0 inside

Cheers,

Namit

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Namit Agarwal — Mon, 04 Oct 2010 13:38:17 GMT

Hi Samantha,

Please add the following commands and try. If it does not work please paste the debugs again after adding these commands.

icmp permit 0 0 outside

icmp permit 0 0 inside

Cheers,

Namit

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

Shilpa Gupta — Mon, 04 Oct 2010 13:42:00 GMT

We sometime add self static translation for both source and destination.

So we added for source and I wanted you to test it by adding the static for destination as well.

As from the debugs, I understand that when you ping from the PIX to any host on 200.0.12.0/24, you are not able to see any response.

First of all try to ping the host in 200.0.12.0/24 network from the router itself and then check if you have any access-list configured on the router which might be blocking the traffic.

I hope it helps.

Thanks,

Shilpa

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 13:43:30 GMT

I add those two entries to the config and tried to ping again but it still does'nt work. I got the same as before

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

praprama — Mon, 04 Oct 2010 13:47:26 GMT

Hey Samantha,

Please add the command "fixup protocol icmp" on the PIX if you have not done so already and test the pings then. If it still does not help, please apply captures on the inside and outside interfaces and paste the captures here. For help with captures, please refer the below:

https://supportforums.cisco.com/docs/DOC-1222

Also, please post the output of "show nat", "show global" and "show static" from the PIX.

Thanks and Regards,

Prapanch

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 13:52:56 GMT

Ok, so I added:

static (inside,outside) 200.0.11.2 200.0.11.2 netmask 255.255.255.255 0 0
static (inside,outside) 200.0.12.1 200.0.12.1 netmask 255.255.255.255 0 0



... still doesn't work. I also checked the router and there are no access-lists on it, here is its config:

Router#sh ru Building configuration...  
Current configuration : 859 bytes 
! 
version 12.3 service config 
no service pad 
service timestamps debug datetime msec 
service timestamps log datetime msec n
o service password-encryption 
! 
hostname Router 
! 
boot-start-marker boot-end-marker 
! 
enable secret 5 $1$fn64$YmP90qmUj8lxDjvEtwU.N1 
enable password Cisco 
! 
no aaa new-model ip subnet-zero 
! 
! 
! 
! 
! 
! 
! 
! 
! 
interface Ethernet0  
ip address 200.0.12.1 255.255.255.0  
no cdp enable 
! 
interface Ethernet1  
ip address 200.0.11.2 255.255.255.0  
duplex auto  no cdp enable 
! 
ip classless 
ip http server 
no ip http secure-server 
! 
! 
! 
control-plane 
! 
! 
line con 0  
exec-timeout 0 0  
no modem enable  
transport preferred all 
transport output all 
line aux 0  
transport preferred all  
transport output all 
line vty 0 4  
password cisco 
login  
transport preferred all  
transport input all  
transport output all 
! 
scheduler max-task-time 5000 end
Thanks.

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Mon, 04 Oct 2010 14:06:04 GMT

Hey Prapanch,

Here are the outputs of "show nat", "show global" and "show static" from the PIX:

pixfirewall# show nat
nat (inside) 0 access-list nonat
nat (inside) 0 200.0.11.0 255.255.255.0 0 0
pixfirewall# show global
pixfirewall# show static
static (inside,outside) 200.0.10.5 200.0.10.5 netmask 255.255.255.255 0 0
static (inside,outside) 200.0.11.2 200.0.11.2 netmask 255.255.255.255 0 0
static (inside,outside) 200.0.12.1 200.0.12.1 netmask 255.255.255.255 0 0

And here are the captures:

pixfirewall(config)# access-list cap-list permit ip any any
pixfirewall(config)# capture in-cap interface inside access-list cap-list buff$
pixfirewall(config)# capture out-cap interface outside access-list cap-list bu$
pixfirewall(config)# ping 200.0.11.2
31: ICMP echo request (len 32 id 9233 seq 0) 200.0.11.1 > 200.0.11.2
         200.0.11.2 NO response received -- 1000ms
32: ICMP echo request (len 32 id 9233 seq 1) 200.0.11.1 > 200.0.11.2
         200.0.11.2 NO response received -- 1000ms
33: ICMP echo request (len 32 id 9233 seq 2) 200.0.11.1 > 200.0.11.2
         200.0.11.2 NO response received -- 1000ms
pixfirewall(config)# ping 200.0.12.1
34: ICMP echo request (len 32 id 9233 seq 0) 200.0.11.1 > 200.0.12.1
         200.0.12.1 NO response received -- 1000ms
35: ICMP echo request (len 32 id 9233 seq 1) 200.0.11.1 > 200.0.12.1
         200.0.12.1 NO response received -- 1000ms
36: ICMP echo request (len 32 id 9233 seq 2) 200.0.11.1 > 200.0.12.1
         200.0.12.1 NO response received -- 1000ms
pixfirewall(config)# ping 200.0.10.5
37: ICMP echo request (len 32 id 9233 seq 0) 200.0.10.1 > 200.0.10.5
         200.0.10.5 NO response received -- 1000ms
38: ICMP echo request (len 32 id 9233 seq 1) 200.0.10.1 > 200.0.10.5
         200.0.10.5 NO response received -- 1000ms
39: ICMP echo request (len 32 id 9233 seq 2) 200.0.10.1 > 200.0.10.5
         200.0.10.5 NO response received -- 1000ms
pixfirewall(config)# ping 200.0.11.2
40: ICMP echo request (len 32 id 9233 seq 0) 200.0.11.1 > 200.0.11.2
         200.0.11.2 NO response received -- 1000ms
41: ICMP echo request (len 32 id 9233 seq 1) 200.0.11.1 > 200.0.11.2
         200.0.11.2 NO response received -- 1000ms
42: ICMP echo request (len 32 id 9233 seq 2) 200.0.11.1 > 200.0.11.2
         200.0.11.2 NO response received -- 1000ms
pixfirewall(config)# sh capture out-cap
5 packets captured
13:59:25.192433 200.0.11.2.51029 > 255.255.255.255.69: udp 22
13:59:28.190007 200.0.11.2.51029 > 255.255.255.255.69: udp 22
13:59:32.189885 200.0.11.2.51029 > 255.255.255.255.69: udp 22
13:59:37.189733 200.0.11.2.51029 > 255.255.255.255.69: udp 22
13:59:43.189611 200.0.11.2.51029 > 255.255.255.255.69: udp 22
5 packets shown
pixfirewall(config)# sh capture in-cap
3 packets captured
13:57:25.302886 200.0.10.1 > 200.0.10.5: icmp: echo request
13:57:26.295028 200.0.10.1 > 200.0.10.5: icmp: echo request
13:57:27.295043 200.0.10.1 > 200.0.10.5: icmp: echo request
3 packets shown

I'm sorry I have to leave now but I will come again tomorrow,

Thanks everyone for trying hard to help,

Samantha.

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

SamanthaDS — Tue, 05 Oct 2010 06:48:35 GMT

Hi again Prapanch !

Were you able to figure something out with the captures and outputs I sent you?

Thanks again,

Samantha.

Re: Issue w/ allowing ping through PIX Firewall 515E - No NAT ne

praprama — Tue, 05 Oct 2010 15:36:50 GMT

Hi Samantha,

It certainly looks like the PIX is dropping the ICMP packets. Have you added the "fixup protocol icmp" command? Also, can you paste a sanitized configuration here from the PIX once again? Seems like a lot of changes have been made since you started out.

Thanks and Regards,

Prapanch