topic Re: Routing on PIX 506E ver.6.3 in Network Security

Routing on PIX 506E ver.6.3

amarula115 — Mon, 11 Mar 2019 18:57:56 GMT

Hi everybody

Here below is a description of the issue I have.

My network:

outside network 10.80.188.0------>10.80.188.1(outside PIX interface)---------(inside PIX interface)172.21.7.1<-------172.21.7.0 inside network

I put the following config:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

ip address outside 10.80.188.1 255.255.255.0
ip address inside 172.21.7.1 255.255.255.0

access-list FromInside permit ip any any
access-list FromOutside permit ip any any

access-group FromOutside in interface outside
access-group FromInside in interface inside

for testing purpose I have one device on 10.80.188.0 network (device IP 10.80.188.10) and one device on network 172.21.7.0 (device IP 172.21.7.10)

With the above mentionned config I can ping from device 172.21.7.10 to device 10.80.188.10

but I can't ping from 10.80.188.10 to 172.21.7.10 (no firewalls enabled on either PC)

On ASA55XX with ver 8.3 I can achieve this quite easy with two simple commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

but how to do it on PIX 506E with ver.6.3 ??

Do I need another static statement?

I tried to add: static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0

but it doesn't work

Any help appreciated.

Re: Routing on PIX 506E ver.6.3

Jennifer Halim — Thu, 21 Oct 2010 04:01:15 GMT

Pls add "fixup procotol icmp error".

If you run packet capture on both inside and outside interface of the PIX firewall, what do you see?

Re: Routing on PIX 506E ver.6.3

Jennifer Halim — Thu, 21 Oct 2010 04:03:46 GMT

And btw, since you mention same-security-traffic, are you having the same security level for both inside and outside interface?

If you are, that is not supported in PIX version 6.3. Please change the security level so outside is having lower security level than inside.

Re: Routing on PIX 506E ver.6.3

Maykol Rojas — Thu, 21 Oct 2010 04:07:18 GMT

Hello,

I see you mention also same security traffic, please remember that the Pix 6.3 does not support same security traffic...

Here is the link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Try what Jennifer told you adding the icmp error command...

Cheers

Mike

Re: Routing on PIX 506E ver.6.3

amarula115 — Thu, 21 Oct 2010 12:59:16 GMT

I entered fixup for icmp. Didin't help

Capture on outside:

pixfirewall(config)# sh capture CAPTURE
4 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
4 packets shown

Capture on inside:

pixfirewall(config)# sh capture CAPTURE
7 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:18.705331 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:23.516712 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:28.524295 10.80.188.10 > 172.21.7.10: icmp: echo request
7 packets shown

Re: Routing on PIX 506E ver.6.3

amarula115 — Thu, 21 Oct 2010 13:00:43 GMT

Nope.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

Re: Routing on PIX 506E ver.6.3

amarula115 — Thu, 21 Oct 2010 14:00:06 GMT

I know it doesn't work on ver 6.3

I just mentionned that same security traffic works with ver. 7 and up ( I have it on version 8.3)

I added fixup protocol icmp error but it didn't help.

I know that to achieve what I want I need to use these null statics statement but I don't rememeber exactly how?

example of null static :

static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0

Re: Routing on PIX 506E ver.6.3

Jennifer Halim — Thu, 21 Oct 2010 23:27:28 GMT

OK, seems that the firewall is sending the ICMP ECHO Request outbound towards 172.21.7.10, however, that host is not responding as we can not see ICMP ECHO Reply on the inside interface.

Are you sure no personal firewall or some sort of anti virus is not enabled on that host? Can you try a different PC, or swap the 10.80.188.10 with the 172.21.7.10 PC, swap the IP Addresses around, and see if you can ping in that direction (from outside to inside).

BTW, you don't need any other static NAT statement. Only the following is required:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

and please "clear xlate" whenever you add or remove NAT statements.

Re: Routing on PIX 506E ver.6.3

amarula115 — Fri, 22 Oct 2010 00:34:29 GMT

Thank you very much for your help. I was looking on the PC for Windows firewall and I disabled it. However I didn't know that my co-worker installed additionally AVG Internet Security Suite on this PC. There were no AVG icons on the desktop or in the task bar. To disable Windows Firewall I was going to the Services and right away scrolling down to the letter W for Windows firewall omitting AVG which are at the beginning of the list of services. Stupid me.

Thank you a lot again

Re: Routing on PIX 506E ver.6.3

Jennifer Halim — Fri, 22 Oct 2010 01:40:33 GMT

Great news and thanks for the update.