07-26-2004 02:23 PM - edited 03-09-2019 08:11 AM
When I connect from the inside of the PIX(192.168.150.0) to a DMZ1 works fine, but when trying to connect from a network (192.168.146.0) in the DMZ1 that is behind two routers it doesn't work.
The configuration is like this:
Net(192.168.146.0) --> Router (Serial 211.1.1.1) --> Router (Serial 211.1.1.2) Net (192.168.147.0) --> PIX (Interface DMZ1 192.168.147.2).
The logs from the pix show that when trying to connect from the network (192.168.146.0) to the DMZ1 interface (192.168.147.2) its using the serial IP address of the router:
106021: Deny icmp reverse path check from 211.1.1.1 to 192.168.147.2 on interface DMZ1.
A traceroute to the DMZ1 interface (192.168.147.2) from the network 192.168.146.0 shows:
Tracing the route to 192.168.147.2
1 211.1.1.2 0 msec 0 msec 4 msec
2 * * *
3 * * *
Thank you.
07-26-2004 07:12 PM
Hi,
In this diagram i dont see 192.168.150.0. The reverse path check indicates that PIX know how to reach this network from a better route.
Can you share the configs?
You may need to trace the issue hop by hop.
Thanks
Nadeem
07-26-2004 07:12 PM
Hi,
In this diagram i dont see 192.168.150.0. The reverse path check indicates that PIX know how to reach this network from a better route.
Can you share the configs?
You may need to trace the issue hop by hop.
Thanks
Nadeem
07-27-2004 05:30 AM
The 192.168.150.0 address is from the inside any it was only a reference. The problem is trying to connect from a network (192.168.146.0) that its behind these two routers: ROUTER1(E0:192.168.146.1; S0: 211.1.1.1) --> ROUTER2(E0:192.168.147.1; S0:211.1.1.2) --> PIX (192.168.147.2)
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security90
enable password xxxxxx
passwd xxxxx
hostname xxx
domain-name xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside permit ip host 192.168.150.50 any
access-list inside permit ip host 192.168.150.19 any
access-list inside permit ip host 192.168.150.20 any
access-list inside deny ip host 192.168.150.54 any
access-list DMZ1 permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging history emergencies
logging facility 16
icmp permit any unreachable outside
icmp deny any outside
icmp permit any unreachable inside
icmp deny any inside
icmp permit any unreachable DMZ1
icmp permit any DMZ1
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.150.2 255.255.255.0
ip address DMZ1 192.168.147.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ1
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 x.x.x.x netmask x.x.x.x
global (DMZ1) 1 192.168.147.201-192.168.147.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
access-group inside in interface inside
access-group DMZ1 in interface DMZ1
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route DMZ1 192.168.146.0 255.255.255.0 192.168.147.1 1
route DMZ1 192.168.148.0 255.255.255.0 192.168.146.1 1
route DMZ1 192.168.149.0 255.255.255.0 192.168.146.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxx
: end
[OK]
Thanks
08-05-2004 01:11 AM
I think you are running foul of a rule within the PIX. You cannot ping your PIX's DMZ1 interface from the outside. So, for example, you can ping from a device located outside to a device located on the DMZ (as long as the GW, IP and Subnet Mask are correct and the PIX config is correct). You can also ping from a device located outside to the outside interface, or from a device located on the DMZ1 interface to the DMZ1 interface, but not from a device located outside to the DMZ1 interface.
The error message that you are seeing seems to indicate that this is because of Unicast RFP, although why this is is, I'm not exactly sure. Perhaps this is some sort of abstraction between the routing engine and the interface security function?
HTH
Terry
08-05-2004 12:41 PM
The network 192.168.146.0 is connected through the two routers to the DMZ1 as a matter in fact in some cases I can telnet some servers in the inside (using static address) or use the internet trough the pix output connection.
In other ocasions using the same machine in the network 192.168.146.0, I cannot connect to any server in the inside, nor surfing the web and get in the log:
106021: Deny icmp reverse path check from 211.1.1.1 to 192.168.147.2 on interface DMZ1.
Thank you in advance.
08-06-2004 11:52 AM
Hi,
the reverse path check error messages comes when pix has a better route to the destination from a different interfaces, other than the interface where the packet came in. Please check your routing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide