Solved

PIX ping deny puzzle

Posted on 2004-04-03
3
988 Views
Last Modified: 2013-11-29
I have a PIX 525 with three interfaces being used, Outside0, Acc60, Eng20.   Acc60 is security level 60.  Eng20 is security level 20.

Acc60 connects to network 10.70.x.x.  
Eng20 connects to network 172.16.9.x.

From any workstation in 10.70.x.x I can ping 172.16.9.39, 172.16.9.40 and 172.16.9.41.  
Any 172.16.9.x can ping any other 172.16.9.x.

From any workstation in 10.70.x.x I am unable to ping 172.16.9.22.
I receive "Request timed out" on the workstation.
I receive these log entries on the PIX:

Result of firewall command: "show log | include 172.16.9.22"
 
106014: Deny inbound icmp src eng20:172.16.9.22 dst acc60:10.70.250.69 (type 0, code 0)
106014: Deny inbound icmp src eng20:172.16.9.22 dst acc60:10.70.250.69 (type 0, code 0)
106014: Deny inbound icmp src eng20:172.16.9.22 dst acc60:10.70.250.69 (type 0, code 0)

Beyond that, I really can't tell what's going on.  Why is this one workstation being denied and not the other three?

Also, if I do a "tracert 172.16.9.39" from a 10.70.x.x workstation, I get:

Tracing route to ENGPDC02 [172.16.9.39]
over a maximum of 30 hops:

  1   <10 ms   <10 ms   <10 ms  10.70.1.1
  2   <10 ms   <10 ms   <10 ms  ENGPDC02 [172.16.9.39]

Trace complete.

Notice that the ip-address resolves to the correct name, even though there is no DNS resolution of any 172.16.9.x names on the 10.70.x.x network.

But if I do a "tracert 172.16.9.22" I get this:

Tracing route to 172.16.9.22 over a maximum of 30 hops

  1   <10 ms   <10 ms   <10 ms  10.70.1.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
    <continues>

(10.70.1.1 is an interface on a Catalyst 4908G-L3.  That switch connects the 10.70.x.x network to the PIX.  I don't think the problem is there, since the deny message is showing up on the PIX logs.)

So how can I troubleshoot this inablity to reach 172.16.9.22 from the 10.70.x.x network?

0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 10747605
Permitting icmp replys takes an access-list on a PIX
since some of the hosts can reply just fine, and this one can't, there are two things to look at
1. subnet mask applied in the access-list that permits icmp-echo
2. routing on the 172.16.9.22 host. What is its default gateway? Does it know how to get to the 10.70.x.x subnet?

0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 200 total points
ID: 10761276
It's not routing, because he sees the answer attempts in the PIX log.  So that leaves something in the PIX config, probably an access list, that's incorrect.

0
 

Author Comment

by:gateguard
ID: 10822800
I've been looking into all this and I don't really see why the pix is even replying at all.  This network is more complicated than I've indicated here, with different switches and an L3 switch... anyway, it turns out that if I substitute a windows machine for the 172.16.9.22 it solves my problem.  The difference being I know how to configure a windows machine, I don't know how to configure the original linux machine.  So I've turned this problem over to the people who do.  

0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question