01-08-2005 12:34 PM - edited 02-20-2020 11:51 PM
Have overlapping network 172.16.9.0. Trying to follow the link according to which this scenario will work.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113571
The scenario is not working. This is what I found. Want to make sure I have not missed anything.
BB1 (172.16.9.111)-> 172.16.9.0 -> (172.16.9.11)(inside)pix(outside)(172.16.15.11) -> 172.16.15.0 -> (172.16.15.1)(e0)CCIErouter1(loopback0)
Have the following
pixfirewall(config)# sh static
static (inside,outside) 172.16.99.0 172.16.9.0 netmask 255.255.255.0 0 0
static (outside,inside) 172.16.99.0 172.16.9.0 netmask 255.255.255.0 0 0
pixfirewall(config)# sh route
outside 0.0.0.0 0.0.0.0 172.16.15.1 1 OTHER static
outside 172.16.9.0 255.255.255.128 172.16.15.1 2 OTHER static
outside 172.16.9.128 255.255.255.128 172.16.15.1 2 OTHER static
inside 172.16.9.0 255.255.255.0 172.16.9.11 1 CONNECT static
outside 172.16.15.0 255.255.255.0 172.16.15.11 1 CONNECT static
inside 192.168.53.0 255.255.255.0 172.16.9.254 1 OTHER static
pixfirewall(config)# sh ip add
System IP Addresses:
ip address outside 172.16.15.11 255.255.255.0
ip address inside 172.16.9.11 255.255.255.0
no ip address dmz
Current IP Addresses:
ip address outside 172.16.15.11 255.255.255.0
ip address inside 172.16.9.11 255.255.255.0
no ip address dmz
See the foll debug
R6-PR14-SRBB1#ping 172.16.99.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.99.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6-PR14-SRBB1#
pixfirewall(config)# 437: ICMP echo-request from inside:172.16.9.111 to 172.16.99.1 ID=2514 seq=7346 length=80
438: ICMP echo-request: translating inside:172.16.9.111 to outside:172.16.99.111
439: ICMP echo-request: untranslating inside:172.16.99.1 to outside:172.16.9.1
440: ICMP echo-reply from outside:172.16.9.1 to 172.16.99.111 ID=2514 seq=7346 length=80
441: ICMP echo-reply: translating outside:172.16.9.1 to inside:172.16.99.1
442: ICMP echo-reply: untranslating outside:172.16.99.111 to inside:172.16.9.111
443: ICMP echo-request from inside:172.16.9.111 to 172.16.99.1 ID=2515 seq=7346 length=80
R6-PR16-SR1#
R6-PR16-SR1#
003666: Jan 8 14:16:07.257 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111
R6-PR16-SR1#
003667: Jan 8 14:16:09.257 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111
R6-PR16-SR1#
003668: Jan 8 14:16:11.261 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111
R6-PR16-SR1#
003669: Jan 8 14:16:13.257 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111
R6-PR16-SR1#
003670: Jan 8 14:16:15.261 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111
R6-PR16-SR1#
01-09-2005 01:57 AM
Hi Mohammed,
The debugs look ok. The only thing I can think of without seeing the whole config is the ACL for the return ping packet. Is there an entry in the inbound access list permitting the icmp echo-reply? ICMP does not create a stateful entry. Try telnet to the router as this should work without the need for an access list inbound on the PIX and will prove if the connection is ok.
Cheers,
Paul.
01-09-2005 12:54 PM
Paul,
I have a static entry and expilictly allowed icmp using an outside access-list
Here is the config for reference
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxx
passwd xxxxx
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outsidein permit icmp any any
pager lines 24
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 172.16.x x.255.255.0
ip address inside 172.16.9.11 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm history enable
arp timeout 14400
static (inside,outside) 172.x.x.x.16.9.0 netmask 255.255.255.0 0 0
static (outside,inside) 172.x.x.x.16.9.0 netmask 255.255.255.0 0 0
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.15.1 1
route outside 172.16.9.0 255.255.255.128 172.16.15.1 2
route outside 172.16.9.128 255.255.255.128 172.16.15.1 1
route inside 192.168.53.0 255.255.255.0 172.16.9.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.0.0 255.255.0.0 dmz
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxx
: end
pixfirewall(config)#
01-10-2005 04:12 AM
Hi Mohammed,
I see the problem now. The thing is that the config as it stands will not work. There needs to be more separation between the networks. I think it is possible the PIX is becoming confused with regard to routing the return packets. There needs to be another address range used to enable the connectivity and this must be the address utilised in the communication.
Try changing the translated address to something else:
eg.
static (inside,outside) 172.16.100.0 172.16.9.0 netmask 255.255.255.0 0 0
static (outside,inside) 172.16.100.0 172.16.9.0 netmask 255.255.255.0 0 0
Then ping 172.16.100.1
The source of 172.16.9.111 will be translated to 172.16.100.111
The dest address of 172.16.100.1 will be translated to 172.16.9.1 with the return traffic translated vice versa.
The router needs a static route pointing to the PIX for the 172.16.100.0/24 subnet.
Cheers,
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide