?
Solved

Cisco PIX firewall routing issue

Posted on 2003-02-26
15
Medium Priority
?
336 Views
Last Modified: 2010-04-17
I have a dual Cisco Pix setup here and I'm trying to figure out why traffic wont route correctly from the inside firewall over to the outside firewall and out to the net.

(internet) <-- (router) <-- (littlepix) <-- (big pix)[problem lies at this juncture] <-- (users)

our little pix works with a 192.168.1.1 inside interface, which is what all users point to for their outside access. This part of the picture works 'excellently'.  Here is the config of the 'bigpix'(our internal firewall).  If anyone could help out with this tedious problem it would be greatly appeciated.  Regards, Devon

config of big pix

BIGPIX(config)# wri t
Building configuration...
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route inside 0.0.0.0 255.255.255.0 192.168.1.126 1
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b5243b57d3dc889632c28f63163a54e2
: end
[OK]
BIGPIX(config)#

config of littlepix

littlepix(config)# wri t
Building configuration...
: Saved
:
PIX Version 5.2(6)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname littlepix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap warnings
logging history alerts
logging facility 20
logging queue 512
logging host inside 192.168.1.110
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.120 255.255.255.0
ip address inside 192.168.1.126 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 1.2.3.10-1.2.3.19 netmask 255.255.255.0
global (outside) 1 1.2.3.5 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.2.3.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.1.46 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
terminal width 80
Cryptochecksum:c767c936345738713c03b8d7a5d4e7b9
: end
[OK]
littlepix(config)#
0
Comment
Question by:snowdizx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8029960
You have both routes pointing to the same IP on BIGPIX:
route inside 0.0.0.0 255.255.255.0 192.168.1.126 1
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1

Remove the "route inside" statement completely, leave the route outside
no route inside 0.0.0.0 255.255.255.0 192.168.126



0
 

Author Comment

by:snowdizx
ID: 8043306
Config now reads exactly as shown...

BIGPIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:258daa9077700d9b7d4582e089bfc93d
BIGPIX(config)#

For some reason, still can't get out.  Thank you lrmoore for your post! :) --Devon
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8043829
From the PIX, can you ping the gateway 192.168.1.126?
Can you ping the PIX outside interface from the router?
Does the interface show up/up with "show interface" ?

You may need to enable icmp to come back in.
Look at the arp cache and make sure you see an arp entry for that gateway address.

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:snowdizx
ID: 8045025
Thx again for your reply lrmoore, here's answers to your last post! Thank you for your help!

1. I am able to ping the gateway at 192.168.1.126 and it returns ping with 0ms.

BIGPIX(config)# ping outside 192.168.1.126
        192.168.1.126 response received -- 0ms
        192.168.1.126 response received -- 0ms
        192.168.1.126 response received -- 0ms

2. From littlepix which is effectively routing traffic for BIGPIX i get the following when I ping it's outside interface from littlepix.

littlepix# ping inside 192.168.2.1
        192.168.2.1 NO response received -- 1000ms
        192.168.2.1 NO response received -- 1000ms
        192.168.2.1 NO response received -- 1000ms

(for testing purposes, I enabled 'conduit permit icmp any any' till I can get everything working.)

3. Output of show interface yields...
BIGPIX(config)# show interface
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000b.4680.0641
  IP address 192.168.1.85, subnet mask 255.255.255.255
  MTU 1500 bytes, BW 100000 Kbit half duplex
        404442 packets input, 63615174 bytes, 0 no buffer
        Received 365101 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        42515 packets output, 4301729 bytes, 0 underruns
        0 output errors, 7 collisions, 0 interface resets
        0 babbles, 2 late collisions, 17 deferred
        15 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/4)
        output queue (curr/max blocks): hardware (0/4) software (0/2)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000b.4680.0642
  IP address 192.168.2.1, subnet mask 255.255.255.255
  MTU 1500 bytes, BW 100000 Kbit full duplex
        407725 packets input, 48168963 bytes, 0 no buffer
        Received 365139 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        39608 packets output, 19750596 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/3)
        output queue (curr/max blocks): hardware (0/4) software (0/2)

So 'yes' both show interface up/up.

4. Lastly, the arp table of BIGPIX reads...

BIGPIX(config)# show arp
        outside 192.168.1.47 0008.7436.5278
        outside 192.168.1.126 0007.50b6.fd1b
        inside 192.168.2.111 00c0.0d01.783f

Since I'm able to ping littlepix's outside interface from BIGPIX, I'm thinking there's one minor thing I'm missing.  Irritating huh?
0
 

Author Comment

by:snowdizx
ID: 8045034
one more interesting thing to note.... I'm able to ping my router from bigpix (the inner firewall)

BIGPIX# ping 198.246.70.126
        1.2.3.126 response received -- 0ms
        1.2.3.126 response received -- 0ms
        1.2.3.126 response received -- 0ms
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8045066
You'll never be able to ping the inside interface from an outside host (it's a "feature" of the PIX). I.e. little pix will never be able to ping 192.168.2.1, so that may not be a viable test.
Can littlepix ping 192.168.1.85 ?
Can littlepix ping its own default gateway 1.2.3.126?
can bigpix ping that gateway 1.2.3.126?

can a host on the inside of bigpix ping that gateway?

Do you get hits on the conduits and xlates?
bigpix#sho conduit
bigpix#sho xlate

same on littlepix

Do you have the PDM enabled, with logging enabled? looking at the pdm log is a great troubleshooting tool...
How about logging on the pix? Is logging on?
BIGPIX(config)#logging on
BIGPIX(config)#logg trap debug
BIGPIX(config)#sho log


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8045079
Progress?
Since you can ping from bigpix, you should be able to ping it from a client inside bigpix...
Can bigpix ping something on the far outside, i.e. 198.6.1.2 (UUNET cache nameserver)
Can an inside client ping it?

0
 

Author Comment

by:snowdizx
ID: 8045289
1. littlepix can ping 192.168.1.85 successfully
2. littlepix can ping it's gateway of 1.2.3.126
3. bigpix can ping 1.2.3.126 without a problem
4. the host inside bigpix cannot ping 1.2.3.126
5. BIGPIX has the following xlate
BIGPIX(config)# show xlate
1 in use, 6 most used
Global 192.168.1.88 Local 192.168.2.111
show conduit on BIGPIX yields...

BIGPIX(config)# show conduit
conduit permit tcp host 192.168.1.71 host 192.168.2.64 (hitcnt=0)
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0 (hitcnt=0)
conduit permit icmp any any (hitcnt=4)

littlepix# show xlate
Global 1.2.3.110 Local 192.168.1.110 static
Global 1.2.3.116 Local 192.168.1.116 static
Global 1.2.3.118 Local 192.168.1.118 static
Show conduit on littlepix yields...
conduit permit icmp any any (hitcnt=16)

BIGPIX can't ping anything past our router it seems.
Same result with host inside BIGPIX.

logging is turned on, I can't seem to get PDM working.  I wonder if it's something that doesn't work in this IOS or something.  All the other logging commands you specified are on however.  It seems like we have progress, but it just seems to be a routing issue from internal  host to external sites.  This is very irritating! :( --Devon
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 8048877
PDM works on 6.0 and above, but you might have to install the pdm files, and enable DES encryption.

Is there a reason that you must double-nat your traffic? Can you try turning off the nat on BIGPIX until we can make sure everything else works?

Can you ping anything on the internet from littlepix?
Any access-lists on the external router?

It might take a few days for me to scrounge up a 2nd pix to try this in my lab.
0
 

Author Comment

by:snowdizx
ID: 8058349
one more interesting thing to note.... I'm able to ping my router from bigpix (the inner firewall)

BIGPIX# ping 198.246.70.126
        1.2.3.126 response received -- 0ms
        1.2.3.126 response received -- 0ms
        1.2.3.126 response received -- 0ms
0
 

Author Comment

by:snowdizx
ID: 8058496
Config now reads exactly as shown...

BIGPIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lQEKAEzt1l7N2CG5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname BIGPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.85 255.255.255.255
ip address inside 192.168.2.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.86-192.168.1.95 netmask 255.255.255.0
global (outside) 1 192.168.1.96 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp host 192.168.1.71 host 192.168.2.64
conduit permit tcp host 192.168.2.61 192.168.1.0 255.255.255.0
conduit permit tcp host 192.168.2.61 any
route outside 0.0.0.0 0.0.0.0 192.168.1.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:258daa9077700d9b7d4582e089bfc93d
BIGPIX(config)#

For some reason, still can't get out.  Thank you lrmoore for your post! :) --Devon
0
 

Author Comment

by:snowdizx
ID: 8058514
Gave BIGPIX a 'no nat' command to turn off nat.  After writing config I still have identical behavior to before.  Thanks greatly for your help, I'm going to do a complete reload of this config from scratch and see if I can't turn anything up by going that route.  Let me know if you think of anything, your help is greatly appreciated.  --Devon
0
 

Expert Comment

by:JimJ-WAN-Tech
ID: 8249891
Hi,
Here is something to try, change your interface statements so your subnet mask matches your subnets.  So they look something more like this:
ip address outside 192.168.1.85 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0

Later....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8442618
G'day, snowdizx
It has been 64 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8725598
snowdizx,
No comment has been added lately (44 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question