Solved

PIX ping deny puzzle

Posted on 2004-04-03
3
987 Views
Last Modified: 2013-11-29
I have a PIX 525 with three interfaces being used, Outside0, Acc60, Eng20.   Acc60 is security level 60.  Eng20 is security level 20.

Acc60 connects to network 10.70.x.x.  
Eng20 connects to network 172.16.9.x.

From any workstation in 10.70.x.x I can ping 172.16.9.39, 172.16.9.40 and 172.16.9.41.  
Any 172.16.9.x can ping any other 172.16.9.x.

From any workstation in 10.70.x.x I am unable to ping 172.16.9.22.
I receive "Request timed out" on the workstation.
I receive these log entries on the PIX:

Result of firewall command: "show log | include 172.16.9.22"
 
106014: Deny inbound icmp src eng20:172.16.9.22 dst acc60:10.70.250.69 (type 0, code 0)
106014: Deny inbound icmp src eng20:172.16.9.22 dst acc60:10.70.250.69 (type 0, code 0)
106014: Deny inbound icmp src eng20:172.16.9.22 dst acc60:10.70.250.69 (type 0, code 0)

Beyond that, I really can't tell what's going on.  Why is this one workstation being denied and not the other three?

Also, if I do a "tracert 172.16.9.39" from a 10.70.x.x workstation, I get:

Tracing route to ENGPDC02 [172.16.9.39]
over a maximum of 30 hops:

  1   <10 ms   <10 ms   <10 ms  10.70.1.1
  2   <10 ms   <10 ms   <10 ms  ENGPDC02 [172.16.9.39]

Trace complete.

Notice that the ip-address resolves to the correct name, even though there is no DNS resolution of any 172.16.9.x names on the 10.70.x.x network.

But if I do a "tracert 172.16.9.22" I get this:

Tracing route to 172.16.9.22 over a maximum of 30 hops

  1   <10 ms   <10 ms   <10 ms  10.70.1.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
    <continues>

(10.70.1.1 is an interface on a Catalyst 4908G-L3.  That switch connects the 10.70.x.x network to the PIX.  I don't think the problem is there, since the deny message is showing up on the PIX logs.)

So how can I troubleshoot this inablity to reach 172.16.9.22 from the 10.70.x.x network?

0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 10747605
Permitting icmp replys takes an access-list on a PIX
since some of the hosts can reply just fine, and this one can't, there are two things to look at
1. subnet mask applied in the access-list that permits icmp-echo
2. routing on the 172.16.9.22 host. What is its default gateway? Does it know how to get to the 10.70.x.x subnet?

0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 200 total points
ID: 10761276
It's not routing, because he sees the answer attempts in the PIX log.  So that leaves something in the PIX config, probably an access list, that's incorrect.

0
 

Author Comment

by:gateguard
ID: 10822800
I've been looking into all this and I don't really see why the pix is even replying at all.  This network is more complicated than I've indicated here, with different switches and an L3 switch... anyway, it turns out that if I substitute a windows machine for the 172.16.9.22 it solves my problem.  The difference being I know how to configure a windows machine, I don't know how to configure the original linux machine.  So I've turned this problem over to the people who do.  

0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
General network\voice question.. 4 53
Apple tv and connecting to wifi 7 55
line utilization 4 24
FILE ACCESS/PERMISSION PROBLEM 6 24
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question