Solved

Pinging the NAT'd address of a host from the inside

Posted on 2006-11-27
2
889 Views
Last Modified: 2008-01-09
Hi All

We are sitting behind a PIX 506e, with a couple of servers using NAT'd addresses. We can't ping the translated IP of a server's address from the inside (i.e. we can't ping its external address from the internal subnet). I'm not even sure if this is possible with PIX, but here goes...

PIX config below

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname fwlon
domain-name domain.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name y.241 mail_outside
name 192.168.1.9 srvroom
name 192.168.1.8 inbound_SMTP
name x.242 HQPIX
name 172.168.0.0 HQ
name y.240 LondonPIX
name 192.168.1.11 DC
name 192.168.1.1 mailserv
name 192.168.1.3 notes
name 192.168.1.4 fileserv
name z.174 Supplier1
name 192.168.10.0 VPN_Pool10
object-group service DNS tcp-udp
  description DNS
  port-object eq domain
object-group service LANGlobal tcp
  group-object DNS
  port-object eq ftp
  port-object eq pop3
  port-object eq domain
  port-object eq www
  port-object eq https
object-group service test udp
  group-object DNS
  port-object eq dnsix
  port-object eq nameserver
  port-object eq domain
access-list outside_access_in remark Allow Mail to SMTP Gateway
access-list outside_access_in remark
access-list outside_access_in permit tcp any host mail_outside eq smtp
access-list outside_access_in remark Allow IPsec Traffic - isakmp
access-list outside_access_in permit udp host HQPIX host y.243 eq isakmp
access-list outside_access_in remark Allow IPsec Traffic - ah
access-list outside_access_in permit ah host HQPIX host y.243
access-list outside_access_in remark Allow IPsec Traffic - esp
access-list outside_access_in permit esp host HQPIX host y.243
access-list outside_access_in remark LANGlobal Service Group Inbound Access
access-list outside_access_in permit tcp any object-group LANGlobal y.0 255.255.255.0 object-group LANGlobal
access-list outside_access_in remark Web Access
access-list outside_access_in permit tcp any host y.242 eq www
access-list outside_access_in remark Deny Port 1434
access-list outside_access_in remark
access-list outside_access_in deny udp any eq 1434 any
access-list outside_access_in remark Allow ICMP
access-list outside_access_in remark
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Deny everything else
access-list outside_access_in deny tcp any any
access-list outside_access_in remark Block everything to come in.
access-list inside_access_in remark Allow IP traffic
access-list inside_access_in permit ip any any
access-list inside_access_in remark Deny UDP Port 1434 Out
access-list inside_access_in deny udp any eq 1434 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
access-list inside_outbound_nat0_acl remark NO NAT PPTP
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 VPN_Pool10 255.255.255.0
access-list outside_cryptomap_20 remark HQ VPN
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.7
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside y.243 255.255.255.240
ip address inside 192.168.1.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool10 192.168.10.1-192.168.10.5
pdm location mail_outside 255.255.255.255 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location srvroom 255.255.255.255 inside
pdm location inbound_SMTP 255.255.255.255 inside
pdm location notes 255.255.255.255 inside
pdm location HQ 255.255.252.0 outside
pdm location LondonPIX 255.255.255.255 outside
pdm location HQPIX 255.255.255.255 outside
pdm location LondonPIX 255.255.255.255 inside
pdm location HQ 255.255.0.0 outside
pdm location mailserv 255.255.255.255 inside
pdm location DC 255.255.255.255 inside
pdm location fileserv 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location Supplier1 255.255.255.255 outside
pdm location VPN_Pool10 255.255.255.0 outside
pdm location 192.168.1.14 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) mail_outside inbound_SMTP netmask 255.255.255.255 0 0
static (inside,outside) y.242 192.168.1.14 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 y.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http srvroom 255.255.255.255 inside
http notes 255.255.255.255 inside
http mailserv 255.255.255.255 inside
http DC 255.255.255.255 inside
http fileserv 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer HQPIX
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address HQPIX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet srvroom 255.255.255.255 inside
telnet mailserv 255.255.255.255 inside
telnet fileserv 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 10
vpdn group VPN2 accept dialin pptp
vpdn group VPN2 ppp authentication mschap
vpdn group VPN2 ppp encryption mppe 128 required
vpdn group VPN2 client configuration address local VPN_Pool10
vpdn group VPN2 client configuration dns fileserv DC
vpdn group VPN2 client configuration wins mailserv
vpdn group VPN2 pptp echo 60
vpdn group VPN2 client authentication local
vpdn username HQ_User1 password *********
vpdn username London_User1 password *********
vpdn username London_User2 password *********
vpdn enable outside
dhcprelay server DC inside
dhcprelay enable outside
dhcprelay setroute outside
username User3 password ** encrypted privilege 15
username User4 password ** encrypted privilege 15
username User5 password ** encrypted privilege 15
terminal width 80
banner exec Authorised access only
banner exec This system is the property of MyCompany
banner exec Disconnect IMMEDIATELY if you are not an authorised user !
banner exec Contact *** for help.
banner exec User Access Verification
banner login Welcome
Cryptochecksum:f739ffe940683c93b8db43026b426496
: end
[OK]

Many thanks in advance.
0
Comment
Question by:Dilan77
2 Comments
 
LVL 7

Accepted Solution

by:
killbrad earned 150 total points
Comment Utility
You usually cannot ping the outside port of a pix from the inside.

http://www.velocityreviews.com/forums/t40893-pix-pinging-outside-interface-from-inside-host.html
0
 
LVL 1

Assisted Solution

by:dskillin
dskillin earned 100 total points
Comment Utility
You can't ping the translated address, the pix doesn't allow inside IP's to talk to the outside IP's, by default...

dskillin@storm ~ $ ping 192.168.210.4
PING 192.168.210.4 (192.168.210.4) 56(84) bytes of data.
64 bytes from 192.168.210.4: icmp_seq=1 ttl=127 time=1.38 ms
64 bytes from 192.168.210.4: icmp_seq=2 ttl=127 time=0.597 ms
64 bytes from 192.168.210.4: icmp_seq=3 ttl=127 time=0.879 ms

--- 192.168.210.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.597/0.954/1.387/0.327 ms


dskillin@storm ~ $ ping 64.xx.xxx.xxx
PING 64.xx.xxx.xxx (64.xx.xxx.xxx) 56(84) bytes of data.

--- 64.xx.xxx.xxx ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3003ms

PIX# sh conf | inc 192.168.210.4

static (inside,outside) 64.xx.xxx.xxx 192.168.210.4 netmask 255.255.255.255 0 0
 <---snip--->


There is a way to do it, but it's ugly...

http://www.velocityreviews.com/forums/t30665-cannot-ping-public-ip-from-internal.html

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now