Solved: PIX 501 not talking to "Next Hop" router? - Page 2

BarryJoseph · ‎12-10-2013

Hello,

My home network currently consists of a Cable Modem --> PIX 501 --> Switch --> internal hosts. The PIX outside interface is set to DHCP, and the device is also DHCP server for my network.

I am trying to add a router between the ISP Modem and the PIX. (The reason is so I can monitor intrusion attempts coming in from the internet, prior to reaching the firewall), I have a 1605 router with 2 ethernet interfaces, E0 set to DHCP client, connected to the ISP modem. E1 is in the same subnet as my PIX Outside interface, The PIX is still DHCP server for the LAN, but the outside interface is now set to a static address,

Now that I have this set up I am unable to get out to the internet from inside. To test I attempted to PING the router E0 interface from an internal host. I then ran debug ICMP at both the 1605 and the PIX. The router receives those requests, but the response never makes it back to the PIX.

Another thing I tried is to enable RIP v2 on the router and PIX. With this on (and with the networks defined on the 1605) I did a "Debug RIP" on both devices. So at the router I can see RIP broadcasts being sent out from the router, and also RIP broadcasts being received from the PIX. But from the PIX I only see broadcasts it is sending out - it's not getting anything back from the router.

Am I missing something basic here? I will be happy to post configs if needed.

Thank you!

-BK

BarryJoseph · ‎12-12-2013

Hello!

Well tonight's testing (following your recommendation) resulted in the following. Please let me know what that tells you - I'm hoping to learn along the way!

PIX2# show cap capin

4 packets captured

17:13:22.361141 192.168.1.14 > 4.2.2.2: icmp: echo request

17:13:26.972956 192.168.1.14 > 4.2.2.2: icmp: echo request

17:13:31.973948 192.168.1.14 > 4.2.2.2: icmp: echo request

17:13:36.973933 192.168.1.14 > 4.2.2.2: icmp: echo request

4 packets shown

PIX2# show cap capout

4 packets captured

17:13:22.361553 192.168.0.2 > 4.2.2.2: icmp: echo request

17:13:26.973201 192.168.0.2 > 4.2.2.2: icmp: echo request

17:13:31.974208 192.168.0.2 > 4.2.2.2: icmp: echo request

17:13:36.974192 192.168.0.2 > 4.2.2.2: icmp: echo request

4 packets shown

Julio Carvajal · ‎12-13-2013

Hello Barry,

Great job with the captures.

That basically let us know that we are receiving the traffic from the work-station, the traffic is then allowed by the FW and send out the outside interface BUT there is no reply.

So basically a problem with the ISP. Call them and explain to them you see traffic going out to their link but there is no reply.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

BarryJoseph · ‎12-13-2013

Hi Julio,

Thank you so much for taking the time to assist me with this issue. I'm not sure it's an ISP issue though (at least I hope not!) Please consider:

- When I first attempted to implement this change, I didn't even think to install a router between the cable modem, and switch. I figured I would simply install a switch (or hub) between the cable modem and firewall, and that I would be able to plug my IDS into that switch (or hub), But it wouldn't work. The PIX couldn't pull an IP. I found out the problem was that the ISP was seeing the switch as the primary device, and grabbing it's MAC address. The PIX was ignored, and therefore never able to connect. I called the ISP and they confirmed this is how they control how many devices are connected, And since I only want to pay for 1 IP address from them, that's how it is.

- Then I decided to try the router approach. And it seems to work. The 1st router interface is getting the IP address from the ISP. I have communications between the pix and router, and also between the router and internal hosts. I don't think the ISP cares what's on the other side of the router (do they?)

- Each time I go home to try your recommendations I unplug the PIX from the cable modem, and connect the router inline. That's when I lose internet connectivity. But once I revert back to that configuration, it works again. So the internet connection works fine. It's only when I add the router to the mix that I lose it.

Please let me know if you think there's anything else I can try here. I can't help thinking it is my configuration and not an ISP issue - hoping you are able to find something else I may have done incorrectly.

Thank you!

-Bk

BarryJoseph · ‎12-13-2013

Hi again Julio,

I finally proved that the ISP isn't the issue. What I did was remove the PIX from the equation, and went straight from the router to a hub, and plugged a client into the hub. I configured a basic NAT config, set up a default route at the router to the ISP default gateway (THAT IP wasn't easy to find!), and was able to get out to the 'net from that client.

Now I need to bring the PIX back into the picture. Would you mind helping me out? I'm a little unclear if NAT'ing should be done at the router, at the PIX, or both. I do need to be able to access internal clients from outside, so it seems to me that it would be better to leave the rules in place on the firewall. But of course the addresses will need to be changed.

PLEASE help me figure out where to go next!!!

Thanks again,

BK

Julio Carvajal · ‎12-14-2013

Hello Barry,

Could be an ARP issue.

The ASA is showing the traffic leaving it's outside interface that lets me know it's not an ASA Issue bud.

Share the following

show ip

show interface ip brief

Do you have access to the ISP modem? IF yes get in and check the ARP table and look for the ASA IP address.

You should find it. Then look at the mac address and make sure it belongs to the outside interface of the ASA

Show interface ethernet 0

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

BarryJoseph · ‎12-15-2013

Julio,

Finally found my problem. I was NATing at the firewall, but not at 1600 router (which is directly connected to the ISP). Once I turned it on at the 1600 BINGO I'm getting out! I was about to mark this issue as "Solved" but I do have a followup issue. (Please let me know if I need to open another incident)..

I am no longer able to reach my inside hosts from outside. Is that because, since I'm NATing at the router instead of the PIX, the Port Overload definitions also need to take place at the router now? I'm starting to play with that now...please let me know if I'm on the right track (and if you can help me to get it working).

Thanks again!

Julio Carvajal · ‎12-15-2013

Hello,

So as I said the issue was not on the FW!

Yeah, u will need to work on that side first, then move to the outside interface of the FW and make sure you allow the traffic there.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

BarryJoseph · ‎12-16-2013

Hi again Julio,

I've rated several of your posts as you have requested. I'm going to submit a new topic shortly, since it's a different issue than the one I originally posted. I hope you're available to help me with this one as well. Thanks again for your assistance!

-BK

Julio Carvajal · ‎12-16-2013

Hello,

It will be a pleasure to help you Barry Just keep me post bud

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC