Re: Routing Problems? %PIX-1-106021

jmondaca · ‎07-26-2004

When I connect from the inside of the PIX(192.168.150.0) to a DMZ1 works fine, but when trying to connect from a network (192.168.146.0) in the DMZ1 that is behind two routers it doesn't work.

The configuration is like this:

Net(192.168.146.0) --> Router (Serial 211.1.1.1) --> Router (Serial 211.1.1.2) Net (192.168.147.0) --> PIX (Interface DMZ1 192.168.147.2).

The logs from the pix show that when trying to connect from the network (192.168.146.0) to the DMZ1 interface (192.168.147.2) its using the serial IP address of the router:

106021: Deny icmp reverse path check from 211.1.1.1 to 192.168.147.2 on interface DMZ1.

A traceroute to the DMZ1 interface (192.168.147.2) from the network 192.168.146.0 shows:

Tracing the route to 192.168.147.2

1 211.1.1.2 0 msec 0 msec 4 msec

2 * * *

3 * * *

Thank you.

nkhawaja · ‎07-26-2004

Hi,

In this diagram i dont see 192.168.150.0. The reverse path check indicates that PIX know how to reach this network from a better route.

Can you share the configs?

You may need to trace the issue hop by hop.

Thanks

Nadeem

nkhawaja · ‎07-26-2004

Hi,

In this diagram i dont see 192.168.150.0. The reverse path check indicates that PIX know how to reach this network from a better route.

Can you share the configs?

You may need to trace the issue hop by hop.

Thanks

Nadeem

jmondaca · ‎07-27-2004

The 192.168.150.0 address is from the inside any it was only a reference. The problem is trying to connect from a network (192.168.146.0) that its behind these two routers: ROUTER1(E0:192.168.146.1; S0: 211.1.1.1) --> ROUTER2(E0:192.168.147.1; S0:211.1.1.2) --> PIX (192.168.147.2)

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ1 security90

enable password xxxxxx

passwd xxxxx

hostname xxx

domain-name xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list inside permit ip host 192.168.150.50 any

access-list inside permit ip host 192.168.150.19 any

access-list inside permit ip host 192.168.150.20 any

access-list inside deny ip host 192.168.150.54 any

access-list DMZ1 permit ip any any

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging trap debugging

logging history emergencies

logging facility 16

icmp permit any unreachable outside

icmp deny any outside

icmp permit any unreachable inside

icmp deny any inside

icmp permit any unreachable DMZ1

icmp permit any DMZ1

mtu outside 1500

mtu inside 1500

mtu DMZ1 1500

ip address outside x.x.x.x x.x.x.x

ip address inside 192.168.150.2 255.255.255.0

ip address DMZ1 192.168.147.2 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ1

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 x.x.x.x netmask x.x.x.x

global (DMZ1) 1 192.168.147.201-192.168.147.254 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

access-group inside in interface inside

access-group DMZ1 in interface DMZ1

rip inside passive version 1

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route DMZ1 192.168.146.0 255.255.255.0 192.168.147.1 1

route DMZ1 192.168.148.0 255.255.255.0 192.168.146.1 1

route DMZ1 192.168.149.0 255.255.255.0 192.168.146.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

Thanks

Terry Pattinson · ‎08-05-2004

I think you are running foul of a rule within the PIX. You cannot ping your PIX's DMZ1 interface from the outside. So, for example, you can ping from a device located outside to a device located on the DMZ (as long as the GW, IP and Subnet Mask are correct and the PIX config is correct). You can also ping from a device located outside to the outside interface, or from a device located on the DMZ1 interface to the DMZ1 interface, but not from a device located outside to the DMZ1 interface.

The error message that you are seeing seems to indicate that this is because of Unicast RFP, although why this is is, I'm not exactly sure. Perhaps this is some sort of abstraction between the routing engine and the interface security function?

HTH

Terry

jmondaca · ‎08-05-2004

The network 192.168.146.0 is connected through the two routers to the DMZ1 as a matter in fact in some cases I can telnet some servers in the inside (using static address) or use the internet trough the pix output connection.

In other ocasions using the same machine in the network 192.168.146.0, I cannot connect to any server in the inside, nor surfing the web and get in the log:

106021: Deny icmp reverse path check from 211.1.1.1 to 192.168.147.2 on interface DMZ1.

Thank you in advance.

nkhawaja · ‎08-06-2004

Hi,

the reverse path check error messages comes when pix has a better route to the destination from a different interfaces, other than the interface where the packet came in. Please check your routing.