cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1024
Views
0
Helpful
23
Replies
BarryJoseph
Beginner

PIX 501 not talking to "Next Hop" router?

Hello,

My home network currently consists of a Cable Modem --> PIX 501 --> Switch --> internal hosts.  The PIX outside interface is set to DHCP, and the device is also DHCP server for my network.

I am trying to add a router between the ISP Modem and the PIX.  (The reason is so I can monitor intrusion attempts coming in from the internet, prior to reaching the firewall),  I have a 1605 router with 2 ethernet interfaces,  E0 set to DHCP client, connected to the ISP modem.  E1 is in the same subnet as my PIX Outside interface,  The PIX is still DHCP server for the LAN, but the outside interface is now set to a static address,

Now that I have this set up I am unable to get out to the internet from inside.  To test I attempted to PING the router E0 interface from an internal host.  I then ran debug ICMP at both the 1605 and the PIX.  The router receives those requests, but the response never makes it back to the PIX.

Another thing I tried is to enable RIP v2 on the router and PIX.  With this on (and with the networks defined on the 1605) I did a "Debug RIP" on both devices.   So at the router I can see RIP broadcasts being sent out from the router, and also RIP broadcasts being received from the PIX.  But from the PIX I only see broadcasts it is sending out - it's not getting anything back from the router.

Am I missing something basic here?  I will be happy to post configs if needed.

Thank you!

-BK

3 ACCEPTED SOLUTIONS

Accepted Solutions

Hello Barry,

Well, the ARP table I think stays on the PIX for 5 hours so it should not be there anymore.

Now, I would recommend to add the fixup protocol and make sure the ACL NoNAT is properly configured.

Afterwards the inside users should be able to ping 4.2.2.2

The internet router will never ping the PIX inside interface address as by default you cannot contact a far end interface (that's just by design).

last but not least appreacite the fast and helpful answers by rating them

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal
Advisor

Do the following:

Access-list capin permit icmp host x.x.x.x host 4.2.2.2
Access-list capin permit icmp host 4.2.2.2 host x.x.x.x
Where x.x.x.x is the internal pc u are using to test the connection.

Access-list capout icmp host y.y.y.y host 4.2.2.2

Access-list capout pemitt icmp host 4.2.2.2 host y.y.y.y

Where y.y.y.y is the IP address the internal PC uses on the outside.

Then

Capture capin interface inside access-list capin

Capture capout interface outside access-list capout.

Then from x.x.x.x ping 4.2.2.2 once and provide:
Show cap capin
Show cap capout

Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Barry,

Could be an ARP issue.

The ASA is showing the traffic leaving it's outside interface that lets me know it's not an ASA Issue bud.

Share the following

show ip

show interface ip brief

Do you have access to the ISP modem? IF yes get in and check the ARP table and look for the ASA IP address.

You should find it. Then look at the mac address and make sure it belongs to the outside interface of the ASA

Show interface ethernet 0

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

23 REPLIES 23
Julio Carvajal
Advisor

Hello,

So PIX 501.. Well let's see what we can do.

So do you have any NAT on the PIX??? If yes please provide it?

if you do a show arp from the PIX do you see an arp entry for the Router IP address?

What happens if you run that ARP show command on the router??

Can you ping from the Pix to the router and from the router to the pix?

Can you add

fixup protocol icmp 

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Wow that was a fast response!!  Ok here's what I can tell you at the moment:

Concerning NAT:  I am using NAT, with Port Address Translation.  Here are the relevant entries:

(Wow I can't paste in - bummer!!)

global (outside) 1 interface

nat (inside) 0 access-list NoNAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 99 192.168.1.99 99 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1701 192.168.1.202 www netmask 255,255,255,255 0 0

static (inside,outside) tcp interface ftp-data 192.168.1.202 ssh netmask 255.255.255.255 0 0

Concerning your show arp suggestion - I don't see it in the ARP table right now.  But not sure if that tells us anything, since I had to disconnect the router and reconnect the PIX to the cable modem last night (so my wife will have internet service!)!  I will recable it inline tonight and check when I get home.

Will do the same at the router tonight - it's not currently online.

Yes with everything worker I was able to successfully ping from the router to the PIX Outside interface...not to the INside interface though.  And I was also able to ping from the PIX Outside interface to the router.

I don't currently have "fixup protocol icmp", but I do have "icmp permit any outside" and "icmp permit any inside".  Doesn't this accomplish the same thing?

Anyhow I will try your suggestions this evening, and let you know.

Thanks!

-BK

Hello Barry,

Well, the ARP table I think stays on the PIX for 5 hours so it should not be there anymore.

Now, I would recommend to add the fixup protocol and make sure the ACL NoNAT is properly configured.

Afterwards the inside users should be able to ping 4.2.2.2

The internet router will never ping the PIX inside interface address as by default you cannot contact a far end interface (that's just by design).

last but not least appreacite the fast and helpful answers by rating them

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

I will be sure to rate your assistance!  I'm curious though - you said inside users should be able to ping 4.2.2.2???  Where does that IP address come from?

Thanks again!

Hello Barry,

That's just an outside IP address that belongs to a public DNS that we as networking guys always use to test connectivity to the internet

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

Unfortunately I was not able to get to this project yesterday evening.  I will definitely be hitting it when I get home though.  In the meantime I wanted to ask you a followup question.

You said earlier that I need to make sure the NoNAT ACL is properly configured.  But in reality I don't think that ACL is even used.  I created it a while back when I was playing with site-to-site VPNs.  Haven't used it since then. 

Here are the lines concerning the NoNAT ACL:

access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list NoNAT

*NOTE* the internal network is 192.168.1.0, and the outside network (to the PIX) is 192.168.0.0; is this my problem?

I was going to try to attach my full config, but I don't see a link allowing that.  (And I don't really want to type line for line; the editor doesn't allow me to copy/paste).  Let me know what you think.  Otherwise will be trying out your suggestions tonight.

Thanks again!

Ok found a workaround for attaching the config...attached as a jpg!    Also Julio I did try adding the fixup protocol icmp command you suggested.  It tells me "Usage: [no] fixup protocol icmp error".  So I think it already has icmp implied since I have icmp explicitly permitted both inside and outside interfaces.

ps. Don't worry that's not a real IP address showing in the isakmp section of the attached configuration.

Julio Carvajal
Advisor

Do the following:

Access-list capin permit icmp host x.x.x.x host 4.2.2.2
Access-list capin permit icmp host 4.2.2.2 host x.x.x.x
Where x.x.x.x is the internal pc u are using to test the connection.

Access-list capout icmp host y.y.y.y host 4.2.2.2

Access-list capout pemitt icmp host 4.2.2.2 host y.y.y.y

Where y.y.y.y is the IP address the internal PC uses on the outside.

Then

Capture capin interface inside access-list capin

Capture capout interface outside access-list capout.

Then from x.x.x.x ping 4.2.2.2 once and provide:
Show cap capin
Show cap capout

Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi!

Thank you this gives me something else to try tomorrow.  only question I  have;  my internal hosts don't have an external ip  address since I  am using port address  translation.   What would I  use for y.y.y.y  the isp  address?   would I  specify a  specific purr?   sorry that part has me stumped.  otherwise will try your suggestions tomorrow.

Thank you!

bk

since I  am using port address  translation.

Used the PAT address then bud . No need for the port

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Please pardon my ignorance.  But we're getting into an area that I don't understand all that well (which is probably why I haven't been able to get this working yet!)

In my current setup I have several externally accessible internal hosts.  For each one I have an access-list entry in the PIX specifying a port.  Then I have a mapping entry that ties the port to the internal client.

For your suggestions "access-list capout icmp host y.y.y.y host 4.2.2.2" and "access-list capout permit icmp host 4.2.2.2 host y.y.y.y"  you said y.y.y.y is the IP address the internal host uses outside.  I asked you if I should use the ISP address; I should have asked if I should use the ISP provided address (which I'm currently PAT'ing out).  So according to your last response I should just use that address for y.y.y.y right?

Sorry for all the questions - just want to make sure I understand so I can follow your advice!!

-Bk

Hello,

Yes, however the internal PC look on the outside. Use that IP.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok will try this tonight and let you know how it works out (and hopefully won't be begging for more help)  Thank you!

nah no problem.

We are here to help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Create
Recognize Your Peers
Content for Community-Ad