04-29-2002 07:29 AM - edited 03-08-2019 10:28 PM
I've got a PIX 506 setup in a test lab. I'm allowing Telnet and ICMP through.Machine A insideMachine X outsideMachine X pings machine a. No response. Machine A pings X, response received. Then machine X can Ping A.Once X pings A, Telnet works.
It's like the PIX sleeps until an internal client wakes it up. It then allows traffic through.
Have you seen this before?
Thanks in advance..
Ray
04-29-2002 10:03 AM
Looks like you are missing a static statement...
04-29-2002 10:18 AM
Pix
Inside 192.168.100.242
Outside 192.168.101.249
Machine A (inside) 192.168.100.118
Machine X (outside) 192.168.101.192
Would the static route be: 192.168101.0 255.255.255.0 GW:192.168.100.242?
04-29-2002 03:48 PM
If you want Machine A to be acccessible from the outside, you'll need:
static (inside,outside) 192.168.101.249 192.168.101.249 255.255.255.255
04-29-2002 05:37 PM
If the 506 has the show commands like the 515 and 525, you can see what's occurring when you do a 'show xlate' command.
Assuming you haven't applied the above static...
-do a clear xlate (clears the translations)
-quickely do a 'show xlate' several times (you can see the translations building that are represented by either the statics you configure, or dynamic entries that the firewall creates when inside resources identify themselves to the firewall, such as with a ping to an outside resource)
-the xlates have a timeout (3:00:00 probably the default), so will live that long.
-the outside resource can access the inside because you have a 'hole' of somekind defined, AND a valid xlate 'lives' in the table.
-when a dynamic entry expires, the outside resource cant get to it until the xlate is recreated in the table.
See also your logs. There should be an entry that says, something along the lines of - no translation or no xlate entry exists (for the inside address you're attempting to reach). I'd have to look in my early logs for the exact syntax, but you get the idea.
A final note - the example of the static that has been suggested to you above, assumes you're not doing NAT.
04-30-2002 11:21 AM
First of All, Thanks for all of the responses!
The 506 does have the sh commands.
I added the static route, see routes below:
It would not let me add 192.168.101.249 255.255.255.255 192.168.101.249 1 on the inside as it said that it had the same metric.
Result of PIX command: "sh route"
inside 192.168.100.0 255.255.255.0 192.168.100.242 1 CONNECT static
outside 192.168.101.0 255.255.255.0 192.168.101.249 1 CONNECT static
outside 192.168.101.249 255.255.255.255 192.168.101.249 1 OTHER static
I then did a sh xlate:
Result of PIX command: "sh xlate"
1 in use, 1 most used
Global 192.168.100.252 Local 192.168.100.252
The only time that I could see anything in xlate is when Machine A pings X. If I clear xlate I can no longer connect. Makes Sense, Thanks bz.
However, I still can not connect to machine A inside without machine A first identifying itself to the firewall, then it dies as the timeout expires.
Would someone please give me more assistance with the static routes?
THANKS in advance.
ray
ps. I'm not using NAT.
04-30-2002 01:06 PM
Why did you add 'outside 192.168.101.249 255.255.255.255 192.168.101.249 1 OTHER static'?
This is the same as 'outside 192.168.101.0 255.255.255.0 192.168.101.249 1 CONNECT static'
What I told you to add is a static command not a route command...but I did make a mistake in my previous statement, it should be:
static (inside,outside) 192.168.100.118 192.168.100.118 255.255.255.255
This statement is needed because you want Machine A (192.168.100.118) to be accessible from the outside...hope this helps!
04-30-2002 03:26 PM
basic rule of thumb.
Add a static NAT translation and then
Add conduit statements or access lists to allow access to it.
What you would need is this: (Pick an ip address outside on the 101 network to be translated to the inside example... lets say 192.168.101.248) Then to get to the inside address of 192.168.100.118 your outside addresses would have to point to this new IP address of -> 192.168.101.248.
static (inside,outside) 192.168.101.248 192.168.100.118 netmask 255.255.255.255 0 0
This is saying to the firewall "If anything wants to get to 192.168.101.248 send it to 192.168.100.18"
Now add the conduit for it.
conduit permit icmp any any
conduit permit tcp host 192.168.101.248 eq telnet any
Tell us how you make out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide