Re: PIX routing issue

bevans · ‎10-20-2003

We currently have a Cisco PIX that connects to our local network and then out to a T1 connection. We added a loadbalancing device that sits between the T1 link and the PIX. I changed the PIX's outside IP address and outside interface default route to fit the configuration change. From on the PIX I can ping out to the Internet. From behind the PIX I cannot ping out to the Internet. I cannot even ping the external PIX interface from a workstation that is behind the PIX (behind the PIX = a workstation on the PIX's LAN). Is there a configuration issue? Is there something that the PIX does by default that I am not aware of?

Bill E.

jlebaron · ‎10-20-2003

The PIX by default will not allow ICMP to come back thru the outside interface.

If its absolutely important for you to ping to a host on the outside interface of the pix, you'd have to write an ACL, or a conduit.

HTH

~Jason

scoclayton · ‎10-20-2003

Bill,

For the first part of your message, we really do not have enough info to help in pinpointing the issue. Perhaps we can start with your config (please remove all passwords and IP's). As for part 2, it is expected that you would not be able to ping the PIX outside interface from a host on the inside network. Packets must come in an interface and leave an interface in order to be passed by the PIX. The PIX will not route back onto itself. Hope this helps.

Scott

bevans · ‎10-20-2003

Scott,

Thanks for your post. Below is my config:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security10

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit tcp any host X.X.X.67 eq smtp

access-list 101 permit tcp any host X.X.X.67 eq pop3

access-list 101 permit tcp any host X.X.X.67 eq www

access-list 101 permit tcp any host X.X.X.67 eq 3389

access-list 101 permit tcp any host X.X.X.67 eq ftp

access-list 101 permit tcp any host X.X.X.70 eq 1494

access-list 101 permit tcp any host X.X.X.71 eq 1494

access-list 101 permit tcp any host X.X.X.70 eq 1433

access-list 101 permit tcp any host X.X.X.71 eq 1433

access-list 101 permit tcp any host X.X.X.70 eq 3389

access-list 101 permit tcp any host X.X.X.71 eq 3389

access-list 101 permit tcp any host X.X.X.69 eq www

access-list 101 permit tcp any host X.X.X.67 eq 5661

access-list 101 permit tcp any host X.X.X.67 eq 5662

access-list 101 permit udp any host X.X.X.67 eq 5661

access-list 101 permit udp any host X.X.X.67 eq 5662

access-list 101 permit tcp any host X.X.X.67 eq 5671

access-list 101 permit tcp any host X.X.X.67 eq 5672

access-list 101 permit udp any host X.X.X.67 eq 5671

access-list 101 permit udp any host X.X.X.67 eq 5672

access-list 101 permit tcp any host X.X.X.72 eq www

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 192.168.2.2 255.255.255.0

ip address inside 10.10.5.1 255.255.0.0

ip address DMZ 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address DMZ 0.0.0.0

pdm history enable

arp timeout 14400

alias (inside) 10.10.1.26 X.X.X.70 255.255.255.255

alias (inside) 10.10.1.27 X.X.X.71 255.255.255.255

alias (inside) 10.10.1.19 X.X.X.69 255.255.255.255

alias (inside) 10.10.1.30 X.X.X.72 255.255.255.255

alias (DMZ) 192.168.1.67 X.X.X.67 255.255.255.255

static (DMZ,outside) X.X.X.67 192.168.1.67 netmask 255.255.255.255 0 0

static (inside,outside) X.X.X.70 10.10.1.26 netmask 255.255.255.255 0 0

static (inside,outside) X.X.X.71 10.10.1.27 netmask 255.255.255.255 0 0

static (inside,outside) X.X.X.69 10.10.1.19 netmask 255.255.255.255 0 0

static (inside,outside) X.X.X.72 10.10.1.30 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

It is probably worth mentioning that I have proxyarp disabled. Also, our load balancing device does nat and so does the PIX. It is very odd because it seemsthat traffic does not pass from the PIXs internal network to the external. Also, DMZ traffic will not pass to the outbound interface.

Bill E.

nkhawaja · ‎10-20-2003

Hi,

A couple of things worth mentioning here.

1- the access-list 101 should have an entry for the echo replies

access-list 101 permit icmp any any echo-reply

2- You have a few static defined on the PIX, which are probably translating to public address, hence only these IPs will be allowed to go to the internet, provided you have routes configured for these IPs on your Load Balancer.

3- All other devices besides the one in static will not be able to go intenet unless you configure nat for them.

Thanks

Nadeem Khawaja

bevans · ‎10-20-2003

Nadeem,

That is true regarding the access list, I forgot about that. Also the information regarding the static entries is of note. I have been looking at this too long and in the wrong places I think. I will try these and post when I see what results. Thanks!