PIX and Router directly connected, link up/up, no ping, no arp

rpmcgurn1234 · ‎11-05-2012

I have a 3700 series router and a PIX 525 with unlimited licensing.

PIX:

int e0 DHCP to WAN, that works fine

int e1 (admin shutdown for testing)

int e2 up/up, 192.168.100.1/24, speed 100, duplex full, sec-level 100, nameif=INSIDE2

3745:

int fa1/0, up/up, 192.168.100.2/24, speed 100, duplex full, no shutdown

The devices are connectd with a known good (tested) crossover cable.

The ip route on each side shows the network directly configured

I can NOT ping from the pix to the router, or from the router to the pix.

I CAN ping each interface from each device (router can ping it's own ip, 192,168,100.2, pix can ping it's own ip 192.168.100.1)

I've setup a capture on the pix, no packets captured at all even while pinging.

It's probably something very stupid that I overlooked, but it is driving me crazy. Ultimately I'd like to put a catalyst behind the router, but would like to get connectivity established here first.

Any thoughts/suggestions/ideas to point me in the right direction would be very much appreciated. Thanks in advance!

Julio Carvajal · ‎11-05-2012

Hello Ronan,

Can you share the

show interface xx from both interfaces ( PIX and switch side)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rpmcgurn1234 · ‎11-06-2012

Thank you for your response, here is the show interfaces on both devices for the interfaces in question:

c3745:

FastEthernet1/0 is up, line protocol is up

Hardware is AmdFE, address is 0011.bba2.f1c1 (bia 0011.bba2.f1c1)

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 21:10:08, output 00:00:04, output hang never

Last clearing of "show interface" counters 00:00:13

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

1 packets output, 60 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

1 unknown protocol drops

17 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

PIX 525:

Interface Ethernet2 "INSIDE2", is up, line protocol is up

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Description: to fa0/1 on c3745

MAC address 0005.5d18.4364, MTU 1500

IP address 192.168.100.1, subnet mask 255.255.255.0

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

6 packets output, 384 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/0) software (0/0)

output queue (curr/max packets): hardware (0/1) software (0/1)

Traffic Statistics for "INSIDE2":

0 packets input, 0 bytes

6 packets output, 168 bytes

0 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

I hope this helps. Thanks again.

Julio Carvajal · ‎11-06-2012

Hello Ronan

Do the following:

On the c3745:

FastEthernet1/0

duplex full

Then give it a try

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rpmcgurn1234 · ‎11-06-2012

Thanks for the suggestions, I tried that, as well as auto/auto on both ends and still same result. When I do a s ip arp on the c3745, I get:

Protocol Address Age (min) Hardware Addr Type Interface

Internet 96.56.78.170 - 0011.bba2.f1b1 ARPA FastEthernet0/1

Internet 172.16.0.1 7 0011.bb5b.1e00 ARPA FastEthernet0/0

Internet 172.16.0.2 1 000c.291a.e587 ARPA FastEthernet0/0

Internet 172.16.0.4 15 000c.296f.8a52 ARPA FastEthernet0/0

Internet 172.16.0.254 - 0011.bba2.f1b0 ARPA FastEthernet0/0

which is fine, everything there works.

On the PIX side doing the sam I get:

OUTSIDE 24.185.247.176 204e.7fc5.4f53 10024

OUTSIDE 24.185.245.248 0013.c45c.de51 10054

OUTSIDE 69.121.30.195 0005.00e2.5931 10054

inside 192.168.0.2 0011.bb5b.1e00 10235

Which is also correct.

Still can not ping from one to the other or vice versa.

rpmcgurn1234 · ‎11-06-2012

Also here are the ip route from each device:

c3745:

Gateway of last resort is not set

C 192.168.72.0/24 is directly connected, Loopback1

S 192.168.110.0/24 [1/0] via 172.16.0.1

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet0/0

C 192.168.100.0/24 is directly connected, FastEthernet1/0

PIX525

S 192.168.110.0 255.255.255.0 [1/0] via 192.168.0.2, inside

S 172.16.0.0 255.255.255.0 [1/0] via 192.168.0.2, inside

C 24.185.244.0 255.255.252.0 is directly connected, OUTSIDE

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.100.0 255.255.255.0 is directly connected, INSIDE2

S* 0.0.0.0 0.0.0.0 [1/0] via 69.121.30.195, OUTSIDE

All the route statements in the PIX are:

route OUTSIDE 0.0.0.0 0.0.0.0 64.xxx.xxx.195 1

route inside 172.16.0.0 255.255.255.0 192.168.0.2 1

route inside 192.168.110.0 255.255.255.0 192.168.0.2 1

192.168.0.2 is VLAN INT ip address on a Catalyst 3550 Layer 3 switch. One switchport is assigned to it and the PIX is directly connected to the 3550 that way. The 3550 handles the other vlans as well. Also, one interface on the router will be connected to the switch in a VLAN. I'm trying to get the router behind the PIX to have it function as a CUBE for CallManager. I need to be able to send SIP trafic out my routable IP address and receive it into the router on udp/5060.

If more info is necessary, I'll be happy to supply it. Thanks again in advance.

Julio Carvajal · ‎11-07-2012

Hello Ronan,

Share:

show run interface FastEthernet1/0 ( on switch)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rpmcgurn1234 · ‎11-07-2012

Thanks again for the response, there is no fa1/0 on the switch, but hopefully this post clarifies some things

Currently internet traffic goes like such:

Internet -> PIX (e0, OUTSIDE) -> PIX (e1, INSIDE) -> CATALYST-3550 (vlan900/fa0/48) -> END HOST

I want to add the c3745 between the Catalyst 3550 and the switch so traffic goes like such:

Internet -> PIX (e0, OUTSIDE) -> PIX (e2, INSIDE2, 192.168.100.1) -> c3745 (int fa1/0, 192.168.100.2) -> c3745 (fa0/1,192.168.101.1) -> CATALYST-3550 (vlan901 - 192.168.101.2,fa0/47 -> END HOST

I'm not 100% sure how to do this. I also need to have a third interface on the router (0/1) connected to a switchport that is part of vlan200 for CUCM so the router can function as a voice gw and CUBE. I think this will allow me to do what I need, which is to have the vlans on the 3550 have internet access, as well as use the c3745 as a voice gw, and send SIP traffic out to the internet from the c3745 but through the PIX so the routable IP used. My SIP provider uses an ACL in which to allow SIP traffic, thus my outbound SIP traffic needs to come from 24.xxx.xxx.122. I also need to be able to accept udp/5060 through the PIX to the c3745 and where it needs to go from there. That network by the way is 172.16.0.0/24, thus the reason for a 172.16.0.254 ip address on the c3745 fa0/0 which connects to a switchport on the 3550 in that vlan.

Anyway, here are my s run interfaces for the relevant interfaces:

interface FastEthernet0/48

description 192.168.0.2/24, to PIX-e1

switchport access vlan 900

switchport mode access

This interface is the only one assigned to vlan900, the ip address of the vlan interface is 192.168.0.2, the interface on the PIX, e1 is configured at 192.168.0.1.

-------------------------

CATALYST-3550, int fa0/47:

interface FastEthernet0/47

description 192.168.101.2/24, to c3745 0/1

switchport access vlan 901

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable

---------------------------------

c3745, int fa0/1

interface FastEthernet0/1

description 192.168.100.2, to PIX-e2

ip address 192.168.101.1 255.255.255.0

no ip unreachables

ip virtual-reassembly

speed 100

full-duplex

no mop enabled

----------------------------------

c3745, int fa1/0

interface FastEthernet1/0

ip address 192.168.100.2 255.255.255.0

speed 100

full-duplex

--------------------------------

PIX, int e1, inside

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

-------------------------------

PIX, int e2, INSIDE2

interface Ethernet2

description to fa0/1 on c3745

speed 100

duplex full

nameif INSIDE2

security-level 100

ip address 192.168.100.1 255.255.255.0

-----------------------------

Sorry about the long post, but I hope this helps

ismgonza11 · ‎11-07-2012

Hey Ronan,

Have you tried a debug arp?

What do you get?

Also what would happen if you use a different port of the PIX to try the same kind of connection?

I understand that you applied a capture, was it an Ether-type capture for ARP?

rpmcgurn1234 · ‎11-07-2012

Thatnks for the reply, I HAVE tried this exact config with different interfaces on the PIX (there are 9 total lol). Same results. I have not tried a debug arp yet, that is still new to me. Also, I am still new to captures, so I'm going to say that no, it was not an Ether-type capture for ARP. Could you explain how to do this please?

Thanks again.

ismgonza11 · ‎11-07-2012

Sure,

For the debug ARP I would recommend you to try it meanwhile trying to ping from one device to the other (PIX to RTR and viceversa).

To disable the debug just issue "und deb arp" or "und all"

Here is the capture you can try:

capture arp ethernet-type arp interface INSIDE2

Please let me know if you can see any packet hitting that interface during the ARP discovery process and if the PIX is actually getting a reply when sends the "who is" packets.

If you could provide some of those captures output that would be great.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

rpmcgurn1234 · ‎11-08-2012

Upon running arp debug, I can see arp is trying to happen, just not succesfully completing. Here is the output:

c3745:

006319: *Jun 28 15:08:44.074 EDT: IP ARP: rcvd req src 192.168.100.1 0005.5d18.4364, dst 192.168.100.2 FastEthernet1/0

006320: *Jun 28 15:08:44.074 EDT: IP ARP: sent rep src 192.168.100.2 0011.bba2.f1c1,

dst 192.168.100.1 0005.5d18.4364 FastEthernet1/0

PIX:

arp-send: arp request built from 192.168.100.1 0005.5d18.4364 for 192.168.100.2 at 260012470

?arp-req: generating request for 192.168.100.2 at interface INSIDE2

arp-req: request for 192.168.100.2 still pending

----------------------------

Not sure what is causing the problem though. Any additional insight would be excellent, thank you all.

ismgonza11 · ‎11-08-2012

Really weird, it seems the Router is indeed sending its MAC address to the PIX.

For some reason this PIX is not receiving or processing this message.

Have you tried setting up a static ARP entry on the PIX?

Something like:

INSIDE2 192.168.100.2 0011.bba2.f1c1

Also, could you get the capture on the INSIDE2 interface of the PIX to confirm that the PIX is receiving the following packet?

006320: *Jun 28 15:08:44.074 EDT: IP ARP: sent rep src 192.168.100.2 0011.bba2.f1c1, dst 192.168.100.1 0005.5d18.4364 FastEthernet1/0

Also Which OS code are you running on this PIX?