topic Re: Basic PIX firewalling in Network Security

Basic PIX firewalling

amit.bhagat — Mon, 11 Mar 2019 16:40:23 GMT

Hi Guys,

A basic firewall issue-network topology is as follows-

R1-PIX-R2

R1 config-

interface Loopback 0

ip address 192.168.1.1 255.255.255.0

interface fastethernet 0/0

ip address 10.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.2

R2 config-

interface Loopback 0

ip address 1.1.1.1 255.255.255.255

interface fastethernet 0/0

ip address 10.2.2.2 255.255.255.0

ip route 192.168.1.0 255.255.255.0 10.2.2.1

PIX config in router mode-

interface e0

nameif inside

ip address 10.1.1.2 255.255.255.0

security-level 100

interface e1

nameif outside

ip address 10.2.2.1 255.255.255.0

security-level 0

route outside 0.0.0.0 0.0.0.0 10.2.2.2

route inside 192.168.1.0 255.255.255.0 10.1.1.1

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any unreachable

access-group 101 in interface outside

Now, the issue is I CANNOT ping between R1 & R2. However, I can ping from PIX to each device.

Any help would be appreciated.

Regards,

Amit.

Re: Basic PIX firewalling

vikram_anumukonda — Tue, 17 Nov 2009 09:22:49 GMT

what version of the code are you running.

Re: Basic PIX firewalling

amit.bhagat — Tue, 17 Nov 2009 09:38:10 GMT

PIX OS version 8.04

Re: Basic PIX firewalling

vikram_anumukonda — Tue, 17 Nov 2009 09:42:33 GMT

config looks good, anything showing up in the logs ?

Re: Basic PIX firewalling

sureshkrishnan — Fri, 20 Nov 2009 19:17:58 GMT

Try this.

policy-map global_policy
class inspection_default

inspect icmp

Re: Basic PIX firewalling

amit.bhagat — Sun, 22 Nov 2009 23:38:20 GMT

Hi Suresh,

I have tried that too- applying the policy-map globally.

However, I should mention that this lab was run on GNS3. I have tried it on two different computers with same config and I have to say that I have reached a breakthrough.

I have been able to ping between two routers through the firewall in both, routed and transparent, modes. But this is only possible if I increase the timeout value to almost 20 seconds. I have even run OSPF on and through the firewall.

My next questions would be- on a real PIX firewall, does it take too long for interesting traffic to pass through it? How do OSPF and other routing protocols manage to keep the adjacency UP if packets take too long to reach between connected devices? In my case, OSPF adjacency was flapping. But perhaps I can blame it to the CPU resources of the PC.

Regards,

Amit.