topic Re: PIX or router issue in Network Security

PIX or router issue

seekhpar121 — Mon, 11 Mar 2019 14:48:51 GMT

Following is a lab topology:

I cannot ping from interent(LAB) router to the inside interface of pix as well as lan.

ALso cannot ping outside interface of Pix from lan but can ping the system on internet(LAB) .

Can anyone help .

Thanks in advance.

system A ------>switch------->LAN Router---->firewall--->Internet Router----->Switch----->System B

System A IP:10.1.2.5/24

gateway: 10.1.2.1

System B ip:172.16.10.5/24

-------------------------------------

LAN Router Configuration:

interface Ethernet0/0

ip address 10.1.2.1 255.255.255.0

half-duplex

interface Ethernet0/1

ip address 10.1.1.2 255.255.255.0

half-duplex

ip route 0.0.0.0 0.0.0.0 10.1.1.1

---------------------------------------

PIX configuration:

interface Ethernet0

nameif outside

security-level 0

ip address 10.165.200.226 255.255.255.224

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any any eq smtp

global (outside) 1 10.165.200.227-10.165.200.254 netmask 255.255.255.224

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.165.200.228 10.1.2.5 netmask 255.255.255.255

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.165.200.225 1

route inside 10.1.2.0 255.255.255.0 10.1.1.2 1

---------------------------------------------------

Internet Router:

interface Ethernet0

ip address 10.165.200.225 255.255.255.224

half-duplex

interface FastEthernet0

ip address 172.16.10.1 255.255.255.0

speed auto

-------------------------------------------------

Re: PIX or router issue

andrew.prince — Wed, 11 Feb 2009 11:43:51 GMT

from the pix can you ping the internet router?

Re: PIX or router issue

seekhpar121 — Thu, 12 Feb 2009 04:13:32 GMT

Hi,

Thanks for your response.

FRom system A:

1)CAN ping System B.

2)CANNOT ping outside interface of pix

3)CAN ping ETH0 of internet router connected to outisde interface of pix.

From PIX:

Can ping Internet router as well as System B:

From Internet Router:

Cannot ping Inisde interface of PIX:

From System B:

When ping inside interface of pix:Result is

Reply from 172.16.10.1:destination host unreachable

Waiting for more replies.

Thanks

Re: PIX or router issue

andrew.prince — Thu, 12 Feb 2009 10:10:10 GMT

This is normal behaviour.

From the outside of the pix you will not be able to ping the inside IP. From the inside of the pix you will not be able to ping the outside IP = all normal for the PIX.

For your network connectivity tests that prove the network from end to end will be:-

system A ping switch = OK

system A ping LAN Router = OK

system A ping firewall inside = OK

system A ping internet router = OK

The above proves the system A side 100%

system B ping switch = OK

system B ping internet router = OK

system B ping firewall outside = OK

system B ping LAN router = OK

The above proves the system B side 100%

system B ping system A = OK

That means you have 100% end to end connectivity.

HTH>

Re: PIX or router issue

seekhpar121 — Fri, 13 Feb 2009 04:09:24 GMT

system B cannot ping LAN Router,

Response is

Reply from 172.16.10.1(internet Router ip),destination host unreachable.

Also System B cannot ping System A.

PIX os is v8.0(3)

Re: PIX or router issue

andrew.prince — Fri, 13 Feb 2009 08:13:04 GMT

Then the issue has nothing to do with the firewall - it is a mi-configuration on the internet router. Post for review.

Re: PIX or router issue

seekhpar121 — Fri, 13 Feb 2009 14:21:25 GMT

Following is the internet router configuration.

Internet Router:

interface Ethernet0

ip address 10.165.200.225 255.255.255.224

half-duplex

interface FastEthernet0

ip address 172.16.10.1 255.255.255.0

speed auto

Re: PIX or router issue

andrew.prince — Fri, 13 Feb 2009 14:47:18 GMT

OK - are you allowing icmp requests thru the firewall?

Re: PIX or router issue

seekhpar121 — Sat, 14 Feb 2009 03:40:34 GMT

AT PIX for allowing icmp as well as routes and static natting of system A

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-group 100 in interface outside

static (inside,outside) 10.165.200.228 10.1.2.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 10.165.200.225 1

route inside 10.1.2.0 255.255.255.0 10.1.1.2 1

Re: PIX or router issue

andrew.prince — Sat, 14 Feb 2009 08:37:38 GMT

You need to re think your config - on what you want to allow thru the firewall and how you NAT that traffic.

Post a network diagram of your test network including your IP subnets.