PIX-RIP

PAUL CHEN · ‎06-04-2004

Hi ,

I have the following scenario:

R7 --- INSIDE --- PIX ----- OUTSIDE -------- R5, R6

RIP VERSION 2 is running between the PIX and R5,R6, R7

As you can see the PIX is learning the loopbacks of R5,R6 and R7

R5: 15.15.15.15

R6: 16.16.16.16

R7: 17.17.17.17

pixfirewall(config)# sh route

outside 0.0.0.0 0.0.0.0 110.50.13.65 1 OTHER static

inside 10.50.34.0 255.255.255.0 10.50.34.1 1 CONNECT static

outside 15.15.15.0 255.255.255.0 110.50.13.65 1 RIP

outside 16.16.16.0 255.255.255.0 110.50.13.66 1 RIP

inside 17.17.17.0 255.255.255.0 10.50.34.2 1 RIP

outside 110.50.13.64 255.255.255.240 110.50.13.67 1 CONNECT static

However, I can't ping any of these loopbacks from within the PIX

pixfirewall(config)# ping 16.16.16.16

44: ICMP type 80 (code 110) 16.16.16.16 > 110.50.13.67

16.16.16.16 response received -- 10ms

45: ICMP type 80 (code 110) 16.16.16.16 > 110.50.13.67

16.16.16.16 response received -- 0ms

46: ICMP type 80 (code 110) 16.16.16.16 > 110.50.13.67

16.16.16.16 response received -- 0ms

NOTE : I CAN PING THE LOOPBACKS OF R5, R6 FROM R7 THRU THE PIX

I CAN ALSO PING THE LOOPBACK OF R7 FROM BOTH R5,R6 THRU THE PIX

USING STATIC (INSIDE,OUTSIDE) 15.15.15.15 15.15.15.15

QUESTION : HOW DO I ALLOW ICMP FROM THE PIX TO THE ROUTERS ?

CAN THE ROUTERS BE PINGABLE FROM THE PIX ?

Any help is much appreciated.

Thanks.

Paul

PIX :=====================================================

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside 110.50.13.67 255.255.255.240

ip address inside 10.50.34.1 255.255.255.0

access-list outside permit icmp any any

access-group outside in interface outside

global (outside) 1 110.50.13.68-110.50.13.78

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 17.17.17.17 17.17.17.17 netmask 255.255.255.255 0 0

static (inside,outside) 15.15.15.15 15.15.15.15 netmask 255.255.255.255 0 0

static (inside,outside) 16.16.16.16 16.16.16.16 netmask 255.255.255.255 0 0

rip outside passive version 2 authentication text cisco 1

rip inside passive version 2 authentication text cisco 1

rip inside default version 2 authentication text cisco 1

route outside 0.0.0.0 0.0.0.0 110.50.13.65 1

===================================================================

R5:

interface Ethernet0

ip address 110.50.13.65 255.255.255.240

ip rip authentication key-chain lab2

!

router rip

version 2

network 15.0.0.0

network 110.0.0.0

no auto-summary

!

ip kerberos source-interface any

ip classless

ip route 17.17.17.0 255.255.255.0 110.50.13.67

R6:

interface Ethernet0

ip address 110.50.13.66 255.255.255.240

ip rip authentication key-chain lab2

!

router rip

version 2

network 16.0.0.0

network 110.0.0.0

no auto-summary

!

ip kerberos source-interface any

ip classless

ip route 17.17.17.0 255.255.255.0 110.50.13.67

R7:

interface FastEthernet0/0

ip address 10.50.34.2 255.255.255.0

ip rip authentication key-chain lab2

router rip

version 2

network 10.0.0.0

network 17.0.0.0

neighbor 10.50.34.1

no auto-summary

ehirsel · ‎06-04-2004

At the pix issue this command: show icmp

The icmp that you allow in the acl is only for icmp traffic flowing thru the pix, not to it. The icmp command tells the pix how to respond to icmp when it is directed to the pix interface.

Make sure that the routers allow icmp from the pix; check any relevant acls that apply to icmp on the router config. You should be able to ping the rotuers from a pix console, or vty session (telnet/ssh)

Here is some info from the pix 6.3 doc to allow the pix to respond to icmp directed to it from the routers. Note how the acl is coded - the echo-reply is sent from the pix to the host/network speced in the icmp permit statement.

1. Deny all ping requests and permit all unreachable messages at the outside interface:

icmp permit any unreachable outside

The default behavior of the PIX Firewall is to deny ICMP messages to the outside interface.

2. Permit host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:

icmp permit host 172.16.2.15 echo-reply outside

icmp permit 172.22.1.0 255.255.0.0 echo-reply outside

icmp permit any unreachable outside

PAUL CHEN · ‎06-04-2004

ip address outside 110.50.13.67 255.255.255.240

ip address inside 10.50.34.1 255.255.255.0

In this case i am trying to ping a R5 loopback - 15.15.15.15

PIX - outside - R5 (110.50.13.65)

Should I do this :

icmp permit host 15.15.15.15 echo-reply outside

icmp permit 110.50.13.67 255.255.255.240 echo-reply outside

icmp permit any unreachable outside

Actually, i tried doing that and it does not work.

I am probably not doing it right.

Your help is appreciated, thanks again

PAUL CHEN · ‎06-04-2004

My apologies, the config I posted does work. I someone got the PIX confused with the router behavior.

In fact, I did not even configure any icmp permit statement . Having received the rip routes I could ping the routers loopbacks from the PIX itself.

PAUL CHEN · ‎06-04-2004

I forgot to ask the question, why is it that I can ping connected interfaces to the PIX and learned routes from RIP without any access lists ?

ehirsel · ‎06-05-2004

ACL statements only apply to traffic flowing thru the pix, not to it, or from it. I believe that the default pix config will allow icmp to and from the pix interfaces, but not thru it. That is why the pings work without having to add or adjust acl entries, or icmp entries.