pix 520 help outside to inside

b.withrow · ‎03-25-2005

I have a node on the outside of our PIX that needs to communicate back to a device on the inside of the PIX. It is for TACACS authentication. For some reason I can't get it to work. I tried a conduit like:

"conduit permit ip host <IP of device on outside> host <IP of device on inside>

but that didn't work. I also added a static route on the device to direct the traffic to that one inside IP to the proper interface and it failed too. If I put a sniffer on it and force ICMP packets, I don't see anything coming back from the inside node. Any ideas?

getmedrew · ‎03-25-2005

If you do deb icmp trace on the pix and then try pinging from outside to inside do you see imcp packets from inside to outside?

If you dont you might want to check the default gateway on the inside box.... if you can see them at least getting to the pix then we need to db-check the pix config

b.withrow · ‎03-25-2005

Thanks for the response.

I just did the debug icmp trace and logged the output to a file. I then logged into the outside device a sourced a ping from the PIX connected interface. I then searched the LOG for the IP of the source and of the destination and neither were anywhere in the log.

From the PIX I can ping the outside node and the inside node.

A trace from the outside node to the inside node just shows ...........

mhussein · ‎03-25-2005

Hi,

Are the outside device and the pix's outside interface located on the same segment? same subnet mask?

Assuming that the tacacs host is translated:

static (inside, outside) tacacs_private tacacs_public

check the pix outside arp cache (show arp), to verify that the pix is arp'ing for "tacacs_public" with the correct ip address.

Then from the outside device: 1) ping tacacs_public, and 2)check the arp table. The arp entry for tacacs_public ip should be the pix's outside mac address.

Please keep us posted

Regards,

Mustafa