cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
30
Helpful
24
Replies

Noob question: IP routing [PIX515E]

nateleduc
Beginner
Beginner

Forgive me for I know this is probably Routing 101.

I know it has to do something with routing, but can't seem to figure out why it isn't working.

PIX Version 7.1(2)

!

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

I can't ping from 192.168.1.0 network. I can ping 192.168.0.2, but nothing past it. I'm having the same issue on my 2600.

Any advice?

24 Replies 24

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Nathan,

So you cant ping from 192.168.1.0/24 to the internet right?

Add the following and let me know

fixup protocol ICMP

If it works then I will explain  you know what you were missing

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you want the 2 networks to communicate between eachother directly without any NAT then I would suggest adding the following configurations

ICMP Inspection

policy-map global_policy

class inspection_default

  inspect icmp

NAT0 Between the Networks

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Allow ICMP from Outside to Inside

access-list OUTSIDE-IN permit icmp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group OUTSIDE-IN in interface outside

This should enable ICMP between both of the private networks. If you want something else done please clarify.

- Jouni

I have a a device (filter/NAT) at 192.168.0.1, I can't ping it from the 192.168.1.0 network. I have a NAT already set up, I don't want to have two setup unless it's needed.

Also adding "fixup protocol icmp " returned with


INFO: converting 'fixup protocol icmp ' to MPF commands

Still not able to

Hi,

The above configuration removes NAT between these 2 networks.

If you want that the LAN network of 192.168.1.0/24 isnt NATed at all to any destination network (and the router would do the actual NAT) then you can modify the above configuration like this

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 0 access-list INSIDE-NAT0

Because of you "security-level" values the traffic fron "inside" to "outside" should already be allowed.

If you want to confirm it with ACL you can always add

access-list INSIDE-IN remark Allow All Traffic from LAN

access-list INSIDE-IN permit ip 192.168.1.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

- Jouni

Also,

You dont have a default route configured though it shouldnt affect pinging directly connected networks

route outside 0.0.0.0 0.0.0.0 192.168.0.1

Though you naturally need it for any traffic headed off your network

- Jouni

Hello,

Can you ping the default gateway or the device provided by your ISP IP address from the ASA itself??

Can you ping from a PC on the inside to the ASA inside interface?

Can you ping from a PC to the default gateway or the ISP IP device address?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you all for the replies, I appreciate them all. Here is a what my network looks like

ISP

Eth0 - DHCP

Eth1 -192.168.0.1

eth0 - 192.168.0.2

eth1 - 192.168.1.1

eth0 - 192.168.1.2

eth1 - 192.168.3.1

I can ping 192.168.1.1 from the 2600, although I can't ping 192.168.0.2 or 192.168.0.1.

The filter (192.168.0.1) doesn't have any problems and passes through traffic no problem. I've tested it alone.

I added route outside 0.0.0.0 0.0.0.0 192.168.0.1 in the PIX515E

From the PIX I can ping 192.168.0.1 and 192.168.1.2.

From the 2600 I can ping 192.168.1.1 but not 192.168.0.2

confusion, confusion everywhere.

Hi,

To my understanding you shouldnt be able to PING an PIX interface IP address from behind anywhere else other than that said interface. That is why your statement that you can ping the 192.168.0.2 from the 2600 seems strange to me.

If you have one more network behind the PIX you will naturally need a route for it on the PIX also

route inside 192.168.3.0 255.255.255.0 192.168.1.2

Also you would have to make NAT0 rules for that network also just like with the 192.168.1.0/24 network.

Though if I understood you correctly this wasnt the problem.

I would check that all the needed static routes are in place and that you have done the above suggest configurations. Maybe you can copy/paste your current configuration here again.

- Jouni

Message was edited by: Jouni Forss

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Sorry folk I just dont get it. Is there a way you could set a diagram so Jounni and I can have a better picture of how your network look like...

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

This should do, see attached.

From the PIX I can ping 192.168.0.1 and 192.168.1.2.

From the 2600 I can ping 192.168.1.1 but not 192.168.0.2

Pretty much ignore the 192.168.2.X network for now. I'll get to that later.

for the 2600:

Building configuration...

Current configuration : 695 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 2600

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$bmO1$/LuQ62za7Clv79MMfG1FR/

enable password cisco2600

!

no aaa new-model

ip subnet-zero

no ip routing

no ip cef

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

no ip route-cache

speed auto

half-duplex

no cdp enable

!

interface FastEthernet1/0

ip address 192.168.3.1 255.255.255.0

no ip route-cache

duplex auto

speed auto

no cdp enable

!

ip http server

ip classless

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password ******

login

!

!

end

and the PIX

Building configuration...

Current configuration : 695 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 2600

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$bmO1$/LuQ62za7Clv79MMfG1FR/

enable password cisco2600

!

no aaa new-model

ip subnet-zero

no ip routing

no ip cef

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

no ip route-cache

speed auto

half-duplex

no cdp enable

!

interface FastEthernet1/0

ip address 192.168.3.1 255.255.255.0

no ip route-cache

duplex auto

speed auto

no cdp enable

!

ip http server

ip classless

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password *******

login

!

!

end

For the PIX515E

: Saved

:

PIX Version 7.1(2)

!

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

!

interface Ethernet0

duplex full

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

Hello Nathan,

From the 2600 you should be able to ping 192.168.0.1, Are you able to do it???

You will never be able to ping 192.168.0.2 as it's a far end interface,

"For security purposes the security appliance does  not support far-end interface ping, that is pinging the IP address of  the outside interface from the inside network."

Source: http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html

Now you need to add the following:

On the PIX:

policy-map global_policy

class inspection_default

inspect icmp

exit

route outside 0 0  Default_gateway_ip_address

On the 2600

ip routing

Ip route 0 0 192.168.1.1

interface fast 0/0

ip route-cache

interface fast 1/0

ip route-cache

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I'm removing the 2600, as it doesn't serves a purpose anymore. I still cannot ping 192.168.0.2. Here is my current config

: Saved

:

PIX Version 7.1(2)

!

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

!

interface Ethernet0

duplex full

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 192.168.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

From my workstation I can ping 192.168.1.1 , but nothing further

Hi,

Have you tried addint the NAT0 rules I suggested originally?

I mean the rules that will tell the PIX that it isnt supposed to do any NAT on the traffic. From what I understood the device infront of the PIX handles the NAT

So lets say you want the network 192.168.1.0/24 to go through the PIX wihtout any NAT then you could configure this

access-list INSIDE-NAT0 remark NO NAT for LAN network

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 0 access-list INSIDE-NAT0

If I understood the situation correctly you now only have the switch and workstation(s) behind the PIX "inside" interface? If there is only the network 192.168.1.0/24 behind the PIX then that above NAT0 configuration should be enough.

Also your default route shouldnt point to the device itself

no route outside 0.0.0.0 0.0.0.0 192.168.0.2 1

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

And as I and Julio have said. You will never be able to ping the PIX "outside" interface IP address from behind the "inside" of the PIX.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: