Re: PIX or router issue

seekhpar121 · ‎02-11-2009

Following is a lab topology:

I cannot ping from interent(LAB) router to the inside interface of pix as well as lan.

ALso cannot ping outside interface of Pix from lan but can ping the system on internet(LAB) .

Can anyone help .

Thanks in advance.

system A ------>switch------->LAN Router---->firewall--->Internet Router----->Switch----->System B

System A IP:10.1.2.5/24

gateway: 10.1.2.1

System B ip:172.16.10.5/24

-------------------------------------

LAN Router Configuration:

interface Ethernet0/0

ip address 10.1.2.1 255.255.255.0

half-duplex

!

interface Ethernet0/1

ip address 10.1.1.2 255.255.255.0

half-duplex

ip route 0.0.0.0 0.0.0.0 10.1.1.1

---------------------------------------

PIX configuration:

interface Ethernet0

nameif outside

security-level 0

ip address 10.165.200.226 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any any eq smtp

global (outside) 1 10.165.200.227-10.165.200.254 netmask 255.255.255.224

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.165.200.228 10.1.2.5 netmask 255.255.255.255

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.165.200.225 1

route inside 10.1.2.0 255.255.255.0 10.1.1.2 1

---------------------------------------------------

Internet Router:

interface Ethernet0

ip address 10.165.200.225 255.255.255.224

half-duplex

!

interface FastEthernet0

ip address 172.16.10.1 255.255.255.0

speed auto

-------------------------------------------------

andrew.prince · ‎02-11-2009

from the pix can you ping the internet router?

seekhpar121 · ‎02-11-2009

Hi,

Thanks for your response.

FRom system A:

1)CAN ping System B.

2)CANNOT ping outside interface of pix

3)CAN ping ETH0 of internet router connected to outisde interface of pix.

From PIX:

Can ping Internet router as well as System B:

From Internet Router:

Cannot ping Inisde interface of PIX:

From System B:

When ping inside interface of pix:Result is

Reply from 172.16.10.1:destination host unreachable

Waiting for more replies.

Thanks

andrew.prince · ‎02-12-2009

This is normal behaviour.

From the outside of the pix you will not be able to ping the inside IP. From the inside of the pix you will not be able to ping the outside IP = all normal for the PIX.

For your network connectivity tests that prove the network from end to end will be:-

system A ping switch = OK

system A ping LAN Router = OK

system A ping firewall inside = OK

system A ping internet router = OK

The above proves the system A side 100%

system B ping switch = OK

system B ping internet router = OK

system B ping firewall outside = OK

system B ping LAN router = OK

The above proves the system B side 100%

system B ping system A = OK

That means you have 100% end to end connectivity.

HTH>

seekhpar121 · ‎02-12-2009

system B cannot ping LAN Router,

Response is

Reply from 172.16.10.1(internet Router ip),destination host unreachable.

Also System B cannot ping System A.

PIX os is v8.0(3)

andrew.prince · ‎02-13-2009

Then the issue has nothing to do with the firewall - it is a mi-configuration on the internet router. Post for review.

seekhpar121 · ‎02-13-2009

Following is the internet router configuration.

Internet Router:

interface Ethernet0

ip address 10.165.200.225 255.255.255.224

half-duplex

!

interface FastEthernet0

ip address 172.16.10.1 255.255.255.0

speed auto

andrew.prince · ‎02-13-2009

OK - are you allowing icmp requests thru the firewall?

seekhpar121 · ‎02-13-2009

AT PIX for allowing icmp as well as routes and static natting of system A

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-group 100 in interface outside

static (inside,outside) 10.165.200.228 10.1.2.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 10.165.200.225 1

route inside 10.1.2.0 255.255.255.0 10.1.1.2 1

andrew.prince · ‎02-14-2009

You need to re think your config - on what you want to allow thru the firewall and how you NAT that traffic.

Post a network diagram of your test network including your IP subnets.