cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2179
Views
0
Helpful
6
Replies

Is my router obstructing the http traffic from the PIX

mpimplikar
Level 1
Level 1

I tried to configure pix firewall 515 version5.3.(1). the setup is like below

internet - router 2621 - PIX - Inside network

On the PIX , I do a tracert for ouside IP from the inside network with icmp permits. the inside address is translated to global pool IP and I cansee the outbound requests. The outbound requests are not followed by inbound replies. The router 2621 has no NAT defined, on the same, the gateway of last resort points to the ISP router, rather than to the PIX outside ( as suggested in the PIX guide ). Incase the PIX has static definitions for some hosts inside, I am able to ping outside from these inside hosts. Other hosts not having static definitions on PIX are not able to receive the inbound replies for any ping or http access.

Is my router blocking the http traffic,

Please suggest

Manish

6 Replies 6

j-block
Level 4
Level 4

It sounds to me like an arp problem. If your internal hosts were directly connected to that router and now you put a PIX in between them, the MAC addresses of the internal hosts are stored in the outside routers arp cache. So start by clearing the arp cache on the router after installing the PIX (clear arp-cache) or reboot it. Also, check to make sure that the router knows about your NAT pool addresses and is routing them to the PIX by either a directly connected network or static routes.

I have checked the arp table of the router 2621, it indicates the global pool addresses and the MAC address of the PIX outside. I have also tried the clear arp-cache and same happens on the arp.

To announce the PIX Global pool address on the router, do I need to indicate the global pool addresses to a static route to the PIX.

Please suggest.

Thanks

ebs_trader
Level 1
Level 1

This might be the case if you have access-list not explicitly prmitting the said traffic . Bare in mind that there is an implicit deny at the end of any acess-list. So you should check for any access-list configs on the inbound connection from your isp's connection to your router. Failing that , check your Nat configs and make sure that you have the an entry for outbound and if necessary one for the inside . Use the nat troubleshooting commands e.g sh ip nat translations or debug the access-list that triggers the natting.

D . Afilaka

CCNP

We have explicit permit options set for tcp any any eq 80. My Ip translations seem to work, I can see them on the outbound requests. The router arp also shows the global pool mapped to the PIX outside MAC.

For checking the access-list setup on the router, pls suggest where and how to check.

Thanks

Interesting problem:

traceroute uses UDP 33000 and above and not ICMP. So this is why you might not see the return traffic. Inaddition: with out the PIX in the equation can you function normally to the internet? This will help find the problem, if it's the router.

Next:

will tell you on the router wether you have access-lists blocking traffic.

Do you have a conduit for DNS? port 53 in/out bound (assuming you are not using bind 8 or higher).

Thanks for the response.

Understand the tracert , but then the debug icmp trace on the PIX shows the outbound request.

From the router I am able to ping the PIX.

From the PIX console I am able to ping to outside internet address and my ISP router. I am unable to ping the outside of the pix from inside despite the access-list icmp permissions.

Without the PIX, I am able to browse the internet properly with a NAT on the router inside interface.

With the PIX, the NAT and global address pool moves to the PIX, the router inside interface only needs to direct all traffic to the PIX outside interface.

WIth the PIX in the equation, I am removing the NAT table from the router and also clearing the arp-cache. As indicated the router arp then shows all global pool addresses with the PIX MAC address.

Conduit for DNS ??? Please suggest.

Thanks again.

Review Cisco Networking for a $25 gift card