12-10-2013 12:59 PM - edited 03-11-2019 08:15 PM
Hello,
My home network currently consists of a Cable Modem --> PIX 501 --> Switch --> internal hosts. The PIX outside interface is set to DHCP, and the device is also DHCP server for my network.
I am trying to add a router between the ISP Modem and the PIX. (The reason is so I can monitor intrusion attempts coming in from the internet, prior to reaching the firewall), I have a 1605 router with 2 ethernet interfaces, E0 set to DHCP client, connected to the ISP modem. E1 is in the same subnet as my PIX Outside interface, The PIX is still DHCP server for the LAN, but the outside interface is now set to a static address,
Now that I have this set up I am unable to get out to the internet from inside. To test I attempted to PING the router E0 interface from an internal host. I then ran debug ICMP at both the 1605 and the PIX. The router receives those requests, but the response never makes it back to the PIX.
Another thing I tried is to enable RIP v2 on the router and PIX. With this on (and with the networks defined on the 1605) I did a "Debug RIP" on both devices. So at the router I can see RIP broadcasts being sent out from the router, and also RIP broadcasts being received from the PIX. But from the PIX I only see broadcasts it is sending out - it's not getting anything back from the router.
Am I missing something basic here? I will be happy to post configs if needed.
Thank you!
-BK
Solved! Go to Solution.
12-10-2013 01:55 PM
Hello Barry,
Well, the ARP table I think stays on the PIX for 5 hours so it should not be there anymore.
Now, I would recommend to add the fixup protocol and make sure the ACL NoNAT is properly configured.
Afterwards the inside users should be able to ping 4.2.2.2
The internet router will never ping the PIX inside interface address as by default you cannot contact a far end interface (that's just by design).
last but not least appreacite the fast and helpful answers by rating them
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-11-2013 06:20 PM
Do the following:
Access-list capin permit icmp host x.x.x.x host 4.2.2.2
Access-list capin permit icmp host 4.2.2.2 host x.x.x.x
Where x.x.x.x is the internal pc u are using to test the connection.
Access-list capout icmp host y.y.y.y host 4.2.2.2
Access-list capout pemitt icmp host 4.2.2.2 host y.y.y.y
Where y.y.y.y is the IP address the internal PC uses on the outside.
Then
Capture capin interface inside access-list capin
Capture capout interface outside access-list capout.
Then from x.x.x.x ping 4.2.2.2 once and provide:
Show cap capin
Show cap capout
Sent from Cisco Technical Support Android App
12-14-2013 04:19 AM
Hello Barry,
Could be an ARP issue.
The ASA is showing the traffic leaving it's outside interface that lets me know it's not an ASA Issue bud.
Share the following
show ip
show interface ip brief
Do you have access to the ISP modem? IF yes get in and check the ARP table and look for the ASA IP address.
You should find it. Then look at the mac address and make sure it belongs to the outside interface of the ASA
Show interface ethernet 0
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-10-2013 01:08 PM
Hello,
So PIX 501.. Well let's see what we can do.
So do you have any NAT on the PIX??? If yes please provide it?
if you do a show arp from the PIX do you see an arp entry for the Router IP address?
What happens if you run that ARP show command on the router??
Can you ping from the Pix to the router and from the router to the pix?
Can you add
fixup protocol icmp
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-10-2013 01:32 PM
Wow that was a fast response!! Ok here's what I can tell you at the moment:
Concerning NAT: I am using NAT, with Port Address Translation. Here are the relevant entries:
(Wow I can't paste in - bummer!!)
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 99 192.168.1.99 99 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.1.202 www netmask 255,255,255,255 0 0
static (inside,outside) tcp interface ftp-data 192.168.1.202 ssh netmask 255.255.255.255 0 0
Concerning your show arp suggestion - I don't see it in the ARP table right now. But not sure if that tells us anything, since I had to disconnect the router and reconnect the PIX to the cable modem last night (so my wife will have internet service!)! I will recable it inline tonight and check when I get home.
Will do the same at the router tonight - it's not currently online.
Yes with everything worker I was able to successfully ping from the router to the PIX Outside interface...not to the INside interface though. And I was also able to ping from the PIX Outside interface to the router.
I don't currently have "fixup protocol icmp", but I do have "icmp permit any outside" and "icmp permit any inside". Doesn't this accomplish the same thing?
Anyhow I will try your suggestions this evening, and let you know.
Thanks!
-BK
12-10-2013 01:55 PM
Hello Barry,
Well, the ARP table I think stays on the PIX for 5 hours so it should not be there anymore.
Now, I would recommend to add the fixup protocol and make sure the ACL NoNAT is properly configured.
Afterwards the inside users should be able to ping 4.2.2.2
The internet router will never ping the PIX inside interface address as by default you cannot contact a far end interface (that's just by design).
last but not least appreacite the fast and helpful answers by rating them
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-10-2013 02:05 PM
Julio,
I will be sure to rate your assistance! I'm curious though - you said inside users should be able to ping 4.2.2.2??? Where does that IP address come from?
Thanks again!
12-10-2013 02:07 PM
Hello Barry,
That's just an outside IP address that belongs to a public DNS that we as networking guys always use to test connectivity to the internet
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-11-2013 11:27 AM
Julio,
Unfortunately I was not able to get to this project yesterday evening. I will definitely be hitting it when I get home though. In the meantime I wanted to ask you a followup question.
You said earlier that I need to make sure the NoNAT ACL is properly configured. But in reality I don't think that ACL is even used. I created it a while back when I was playing with site-to-site VPNs. Haven't used it since then.
Here are the lines concerning the NoNAT ACL:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NoNAT
*NOTE* the internal network is 192.168.1.0, and the outside network (to the PIX) is 192.168.0.0; is this my problem?
I was going to try to attach my full config, but I don't see a link allowing that. (And I don't really want to type line for line; the editor doesn't allow me to copy/paste). Let me know what you think. Otherwise will be trying out your suggestions tonight.
Thanks again!
12-11-2013 11:40 AM
Ok found a workaround for attaching the config...attached as a jpg! Also Julio I did try adding the fixup protocol icmp command you suggested. It tells me "Usage: [no] fixup protocol icmp error". So I think it already has icmp implied since I have icmp explicitly permitted both inside and outside interfaces.
ps. Don't worry that's not a real IP address showing in the isakmp section of the attached configuration.
12-11-2013 06:20 PM
Do the following:
Access-list capin permit icmp host x.x.x.x host 4.2.2.2
Access-list capin permit icmp host 4.2.2.2 host x.x.x.x
Where x.x.x.x is the internal pc u are using to test the connection.
Access-list capout icmp host y.y.y.y host 4.2.2.2
Access-list capout pemitt icmp host 4.2.2.2 host y.y.y.y
Where y.y.y.y is the IP address the internal PC uses on the outside.
Then
Capture capin interface inside access-list capin
Capture capout interface outside access-list capout.
Then from x.x.x.x ping 4.2.2.2 once and provide:
Show cap capin
Show cap capout
Sent from Cisco Technical Support Android App
12-11-2013 08:04 PM
Hi!
Thank you this gives me something else to try tomorrow. only question I have; my internal hosts don't have an external ip address since I am using port address translation. What would I use for y.y.y.y the isp address? would I specify a specific purr? sorry that part has me stumped. otherwise will try your suggestions tomorrow.
Thank you!
bk
12-11-2013 09:13 PM
since I am using port address translation.
Used the PAT address then bud . No need for the port
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-12-2013 06:21 AM
Hi Julio,
Please pardon my ignorance. But we're getting into an area that I don't understand all that well (which is probably why I haven't been able to get this working yet!)
In my current setup I have several externally accessible internal hosts. For each one I have an access-list entry in the PIX specifying a port. Then I have a mapping entry that ties the port to the internal client.
For your suggestions "access-list capout icmp host y.y.y.y host 4.2.2.2" and "access-list capout permit icmp host 4.2.2.2 host y.y.y.y" you said y.y.y.y is the IP address the internal host uses outside. I asked you if I should use the ISP address; I should have asked if I should use the ISP provided address (which I'm currently PAT'ing out). So according to your last response I should just use that address for y.y.y.y right?
Sorry for all the questions - just want to make sure I understand so I can follow your advice!!
-Bk
12-12-2013 06:25 AM
Hello,
Yes, however the internal PC look on the outside. Use that IP.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-12-2013 06:32 AM
Ok will try this tonight and let you know how it works out (and hopefully won't be begging for more help) Thank you!
12-12-2013 06:33 AM
nah no problem.
We are here to help
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide