PIX doesn't allow my LAN to INTERNET

hiruannaofit · ‎10-22-2004

Hi dear all,

Actually I have set "access-list permit icmp any any echo-reply" time-exceeded & unreachable.......so now I am able to ping from my PIX console to my ISP GW ip...but still I am not able to access internet or ping from my inside n/w PCs to internet GW.

Pls. find the below details of my n/w and config.and suggest where am I missing?

I need ur help badly, now it's a question of my output....please help me ASAP.

I can't remove my border router because it has been sold to my customers earlier for my SUN servers.

Pls. note my yahoo messenger ID is barodians_us@yahoo.com If u are not disturb u can come on yahoo for chatting to suggest me online.

N/W setup:

#My router inside ip (172.16.29.1/24)--Router outside (10.1.1.1/24)--PIX inside (10.1.1.2/24)--PIX outside (208.144.230.197 255.255.255.224-ISP supplied)

#My ISP Gateway address is 208.144.230.200

#My DNS servers are 208.144.230.1 and 208.144.230.2

#VLAN Config:

boot-start-marker

boot-end-marker

no aaa new-model

ip subnet-zero

!

no ip dhcp conflict logging

ip dhcp excluded-address 172.16.29.1 172.16.29.240

ip dhcp excluded-address 172.16.29.250 172.16.29.254

!

ip dhcp pool dhcppool

network 172.16.29.0 255.255.255.0

dns-server 208.144.230.1 208.144.230.2

default-router 172.16.29.1

!

interface FastEthernet0/0

ip address 208.144.230.197 255.255.255.224

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.29.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 7 interface FastEthernet0/0 overload

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 208.144.230.200

!

access-list 7 permit 172.16.29.0 0.0.0.255

!

#PIX 515E config:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname VLANPIX

domain-name VLAN

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol http 80

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

access-list acl_outbound permit icmp any any

access-list acl_outbound permit tcp any any eq pop3

access-list acl_outbound permit tcp any any eq smtp

access-list acl_outbound permit tcp any any eq domain

access-list acl_outbound permit udp any any eq domain

access-list acl_outbound permit tcp any any eq www

access-list acl_outbound permit tcp any any eq telnet

access-list acl_outbound permit tcp any any eq h323

access-list acl_outbound permit tcp any any eq https

access-list acl_outbound permit tcp any any eq 1863

access-list acl_outbound permit tcp any any eq ftp-data

access-list acl_outbound permit tcp any any eq ftp

access-list acl_outbound deny ip any any

access-list acl_inbound permit icmp any any

access-list acl_inbound permit tcp any any eq 1863

access-list acl_inbound permit tcp any any eq ftp

access-list acl_inbound permit tcp any any eq ftp-data

access-list acl_inbound permit tcp any any eq h323

access-list acl_inbound permit tcp any any eq pop3

access-list acl_inbound permit tcp any any eq smtp

access-list acl_inbound permit tcp any any eq www

access-list acl_inbound permit tcp any any eq domain

access-list acl_inbound permit udp any any eq domain

access-list acl_inbound deny ip any any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

ip address outside 208.144.230.197 255.255.255.224

ip address inside 10.1.1.2 255.255.255.0

global (outside) 1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

route outside 0.0.0.0 0.0.0.0 208.144.230.200 1

floodguard enable

telnet 10.1.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

Thanks.

Regards,

Hiren Mehta

zroth · ‎10-22-2004

Hi Hiren,

first of all I miss in your config global IP address.

The other things seem to be O.K.Ping from console has nothing to do with an access-list.

If you try to ping through the PIX,you can watch it

with debug icmp trace.It gives you information,whether the ICMP packets leave PIX and return ICMP packets are coming back.

Hope it helps

Zdenek

hiruannaofit · ‎10-22-2004

Dear Zdenek,

Glad to receive ur immediate response.

I have put icmp trace on and check from my PIX console that my ping (ICMP) goes from my outside pix to ISP GW address and echo-reply back to it.

I have put "global(outside) 1 interface" i.e.PAT for all. I don't know what to put "global (outside) 1 ip_add netmask x.x.x.x" pls. suggest..

My public ip given by ISP is 208.144.230.198 255.255.255.224"....what could be the "global(outside)"...or how can I get?

Hope to see u soon

Hiren.

zroth · ‎10-22-2004

Hiren,

most probably you have a wrong address on your router

outside interface.From your config I see it is 208.144.230.197.This is the address of your PIX outside interface.You have to change your router's

outside interface to something from the network 10.1.1.0 255.255.255.0,for instance 10.1.1.1.Then you

should also define default route on your router to

inside PIX interface (10.1.1.2).Both inside PIX interface and outside router interface should be able to ping each other,whixh I presume is not the case now.

Try it

Zdenek

hiruannaofit · ‎10-22-2004

Dear Zdenek,

Yes..Yes.. ur true on router part. I have changed my Router outside to 10.1.1.1 255.255.255.0 and changed the "ip route 0.0.0.0 0.0.0.0 10.1.1.2". Is these OK..I think my route path set from router outside-to-PIX inside.

I am able to ping from Router console to PIX inside now. but it gives me "requested time out" from my Laptop(ip set in the range of router insdie) to pix inside.

Though I am able to ping router inside,outside even PIX ICMP trace shows me ping request received and reply sent back to router when I monitor my ping through console. But on laptop ping response is "Requested time out".....am I missing something on router ....Pls. suggest me.

Hiren

jogillis · ‎10-22-2004

Are you NAT(ing) from inside to outside on your router? If so, what is the purpose, since your Pix then NAT(s).

zroth · ‎10-22-2004

You have not most probably route on your laptop to the destination 10.1.1.2 or generally default route over 10.1.1.2.If you ping from your laptop to the inside PIX IP address,you should see incoming ping packets on the PIX.The error is so far in the routing,not in the PIX.Of course,PIX has to know the

route to the source network,it is the route to the inside network of your router.You have to configure it,and I am sure,you win.Try use of debug ip icmp on

router,you will see if your packets reach router and

leave it.So far not bad.

Give me a notice

Zdenek

zroth · ‎10-22-2004

Sure,the NAT on your router should be removed,too.As a whole,PIX overtakes original tasks of router,NAT included.From your laptop with an IP address of inside network 172.16... you must be able to ping inside interface of PIX.And these ping packets should

have original source addresses of 172.16...If you have already changed outside address of the router,ping packets have source address 10.1.1.1.After disabling NAT on the router they should be the original addresses .. 172.16...

In present state should ping actually work,if you have the proper route on your laptop (command route print must show default route over inside int of router].But again,I think you don't need NAT on router anymore.

Hope it helps

Zdenek

hiruannaofit · ‎10-23-2004

Yes. NAT has been removed from Router.

I am getting ping from my laptop to PIX inside and reply shows on PIX console that my Laptop IP as a source of this ping....

I have checked on my router that it shows default router is the ip of my router inside (172.16.29.1)

When I ping to PIX inside why on laptop shows "requested timed out" though PIX console shows ICMP request come and ICMP reply to Laptop ip?????

I am not able to receive any ping reply back when I ping from my laptop to PIX outside ..W H Y ????

I haven't used any GLOBAL address....pls. suggest by refering my PIX config...tell me what should be...

I have used "nat (inside) 1 0 0" on pix and "Global (outside) 1 in interface" (Global address is translated to PAT)

Unless I am not able to get ping reply from my PIX outside and ISP GW outside I am not able to surf the internet through PIX.....correct...

Pls. suggest....I am very much grateful to u.

Hiren.

zroth · ‎10-25-2004

Hi Hiren,

I have my holidays these days,so pls apologize my late.But I promise to help you.

1.Most probably your PIX has not route to the network 172.16.29.0 and is sending ping answer through its default route (outside interface).You

can check it with PIX comand show route.So you must

configure all routes to the networks or hosts,which

are on the inside of the PIX with the command route

- for instance route inside 172.16.29.0 255.255.255.0 10.1.1.1

To ping outside interface of PIX from inside is with PIX impossible,as well you can not ping inside interface from outside.That is PIX firewall.

Your NAT on PIX is O.K.,at least I think so now.

Actually you are doing PAT - all inside addresses are

Translated to the PIX outside address ,which I presume is the only public address you have from your ISP.At present I think you should be able to

ping ISP gateway from laptop - but,not first you haveto define route from PIX to laptop,as written above.

Hope it helps.Let me know.

Zdenek

hiruannaofit · ‎10-27-2004

I have done "route inside 172.16.20.0 255.255.255.0 10.1.1.1" at PIX but still I am not able to browse Internet from my inside world. I understand the importance of PIX...u are correct.I am provided two PUBLIC IP from my ISP i.e.208.144.230.197 and 198.

I have now removed access-list from my router:

Pls. confirm me that there is no problem at my router or is there any fixup of protocol,access-list are require? I think now I should isolate the problem one by one...

Latest config:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname VLANRouter

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip subnet-zero

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.29.1 255.255.255.0

duplex auto

speed auto

!

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

!

line con 0

line aux 0

line vty 0 4

login

!

end

I have tried capture command on PIX also which shows me that some packets of ping from inside to ISP GW are captured on the outside PIX interface.

Pls. clear me 1st router config part. Then we shall move further....

Thanks Zdenek for u support.

Hiren.

jogillis · ‎10-25-2004

I agree, you need a route for the 172.16.29.0 network on your pix, so he will know how to route the echo reply back to the laptop. Have you tried using the capture command on any (all) of the interfaces to see exactly what is happening. The capture command can be a really big help when trying to trouble shoot problems such as this.

hiruannaofit · ‎10-27-2004

Jogillis, I have used capture command on pix and it's showing me some packet captured on the PIX outside of ping from inside laptop to ISP GW IP.

I can experiment if u suggest me the exact syntax of capture command which u wanted me to check....

I have done "route inside 172.16.20.0 255.255.255.0 10.1.1.1" at PIX but still I am not able to browse Internet from my inside world. I am provided two PUBLIC IP from my ISP i.e.208.144.230.197 and 198.

I have removed access-list from my router:

Pls. confirm me that there is no problem at my router or is there any fixup of protocol,access-list are require? I think now I should isolate the problem one by one...

Latest config:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname VLANRouter

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip subnet-zero

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.29.1 255.255.255.0

duplex auto

speed auto

!

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

!

line con 0

line aux 0

line vty 0 4

login

!

end

Pls. clear me 1st router config part. Then we shall move further....

Thanks for u support.

Hiren.

zroth · ‎10-27-2004

Hi Hiren,

in the PIX command route inside 172.16.29.0 etc you possibly made a mistake ( 172.16.20.0 ???).

If this is not the case and you made only the mistake in your message,I think your config is basically a good one.

From your laptop with IP address 172.16.29.x you should be able to ping 172.16.29.1 (inside router's

interface),10.1.1.1 (outside router's interface),10.1.1.2 (inside PIX's interface),208.144.230.200 (ISP GW interface),DNS servers and actually every IP address in Internet,which allows echo-reply.

You won't be able to ping PIX's outside interface.

You can check and watch moving of your ping packets

on your router and on PIX with commands debug icmp trace on PIX and debug ip icmp on the router.You should see your packets leaving and returning your

network.

Two things would be usefull for you .On router and on the PIX you should activate logg with logging buffered command.With command show log you can watch

what happened.With clear logg you can clear the buffer.The second help is to config on the router interfaces ip accounting.With sh ip acco you will be able to watch which packets are leaving router in both directions.Again,with command clear ip acco (interface command!!)you can clear accounting.

Hope it helps.Let me know and good luck.

Command capture you can try later.

Zdenek

hiruannaofit · ‎10-29-2004

Yes.Zdenek...My PIX problem is solved.

I did mistake in "route inside" which I corrected but still I was unable to browse but last night I received new activation-key from CISCO through which I have updated my PIX version and whatever u suggested and I configured is damn perfect.......

my PDM manager is working perfectly and I tested ping...works perfectly....and inside to outside ISP access works with outside to inside attacks blocked..

T H A N K S for ur constant support. Which helps me mostly for the following point:

# Remove NAT on router and set it on PIX

# Show default route (Gateway)at client PC(or laptop)

# Route outside to ISP GW as well as route inside to router IP to be set on PIX

# Debugging commands to trace my ping packets stage by stage

# Importance of global interface, PAT and NAT

See u. keep in touch. Take good care of urselves.

Hiren Mehta.

AFRICA