PIX only avail after pinging from itself

sven.huster — Fri, 21 Feb 2020 07:09:12 GMT

I got a PIX515e/UR running 6.3(1).

It looks like it is only reachable e.g. for ICMP once it pinged the other end first.

I try from ping 10.0.0.1 (host) and 10.0.0.254 (gateway) to the outside interface with no success.After pinging from the outside interface to this IPs I get two-way communication going. But just to the PIX not the host mapped by the static command.

This behaviour is reproducible by clearing the arp entries on the host and the gateway.

I did some research mirroring traffic to and from the PIX and it does not seems to recognize the ARP requests at all.

debug arp gives me nothing at all.

BTW the gateway is a Alpine 3808 and the host is switched through it to access the PIX which is on a dedicated port there.

Any ideas?

Important part of the config follows:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan2 logical

interface ethernet1 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan2 dmz security10

nameif vlan3 internal security90

access-list compiled

access-list ACL_OUTSIDE_IN permit icmp any any

access-list ACL_OUTSIDE_IN permit ip host 10.0.0.1 any

access-list ACL_OUTSIDE_IN permit ip host 10.0.0.2 any

access-list ACL_DMZ_IN deny ip 192.168.254.0 255.255.255.0 192.168.254.0

+255.255.255.0

access-list ACL_DMZ_IN permit icmp any any

access-list ACL_DMZ_IN permit ip any host 10.0.0.1

access-list ACL_DMZ_IN permit ip any host 10.0.0.2

access-list ACL_DMZ_IN permit udp any host 10.1.1.4 eq domain

access-list ACL_DMZ_IN permit udp any host 10.1.1.5 eq domain

icmp permit any outside

icmp permit any inside

icmp permit any dmz

icmp permit any internal

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.250 255.255.255.0

ip address inside 192.168.155.254 255.255.255.0

ip address dmz 192.168.254.254 255.255.255.0

ip address internal 192.168.151.254 255.255.255.0

arp timeout 14400

static (dmz,outside) 10.0.0.50 192.168.254.1 netmask 255.255.255.255 0 0

access-group ACL_OUTSIDE_IN in interface outside

access-group ACL_DMZ_IN in interface dmz

route outside 0.0.0.0 0.0.0.0 10.0.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Thanks

Regards

Sven

Re: PIX only avail after pinging from itself

koaps — Sat, 13 Dec 2003 20:13:23 GMT

Are you using NAT?

If i was you, I would drop the DMZ ACL's and just have ACLS that relate to the static statements, then use nat for the inside clients to access the public and dmz networks. Also use nat for the dmz to access the public network.

also, are you trying to block trying going OUT of the dmz or IN to it? You did an IN statement, not and usually you block at the outside interface, not the dmz one.

Re: PIX only avail after pinging from itself

sven.huster — Sun, 14 Dec 2003 09:51:46 GMT

The internal and inside interfaces will use NAT to get to the outside but not between each other and the DMZ.

I need to DMZ ACL as I want to control what's allowed/denied from the hosts on this network.

topic Re: PIX only avail after pinging from itself in Network Security

PIX only avail after pinging from itself

Re: PIX only avail after pinging from itself

Re: PIX only avail after pinging from itself