[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 702
  • Last Modified:

PIX not listed as a hop using tracert

I have a rather large development network strung together using 5 server 2003 x64 opteron boxes running vmware server with virtual center for vmware. There are 4 separate internal network subnets 10.10.x.x, 172.16.20.x, 192.168.0.x,192.168.1.x. I am using a server 2003 box with RRAS enabled to manage traffic between networks but have a pix firewall thats used to manage incoming traffic and test vpn traffic changes. Routing between all nodes and the internet works fine, but tracerts do not respond with the ip of the pix. it looks as though the tracert skips right over it and uses my ip subnet default gateway.

If i'm on the 172 network i get the following:

 1    <1 ms    <1 ms    <1 ms  ASP-CORE-01 [172.16.20.250]
 2     4 ms     3 ms     3 ms  rrcs-24-x-x-x. biz.rr.com [24.x.x.x] <- this is my internet default gateway

What i would expect to get would be the following:

 1    <1 ms    <1 ms    <1 ms  ASP-CORE-01 [172.16.20.250]
 2    <1 ms    <1 ms    <1 ms  PIX1 [10.10.2.254]
 3     4 ms     3 ms     3 ms  rrcs-24-x-x-x. biz.rr.com [24.x.x.x]

I'm assuming i'm missing a command in the PIX, just don't know what one.
0
newimagent
Asked:
newimagent
  • 5
  • 3
1 Solution
 
NabeelyCommented:
PIX dose not allow ICMP ie ping and tracert packet through it you need issue an access list or conduit command allow that. it is`actually three commands to allow, ICMP, echo and echo replay if you use the any any for then that allows from anyway.

but be warned this should be used only for testing and it is not a secure method.
0
 
Galtar99Commented:
Updates?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
newimagentAuthor Commented:
hasn't worked yet.

i've got an explicit allow any any outside = All ICMP and it's still not working.

i've also tried it with the static mapping from that document.

i'll keep looking into it.
0
 
Galtar99Commented:
Could you post your config?
0
 
newimagentAuthor Commented:
output from sh run

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NyS9rVcQ.7MDdcG7 encrypted
passwd NyS9rVcQ.7MDdcG7 encrypted
hostname PIX1
domain-name x.x.x.x
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.0.100 CSL-APP-Server
name 10.10.0.102 CSL-DEV-1
name 172.16.0.0 VPN_Clients
name 10.254.1.20 NI-FS1
name 10.254.1.35 NI-TS-01
name 10.255.10.10 ASP-VEX-01
name 10.254.1.60 COMServer1
name 10.254.1.101 CSL-Web-1
name 10.255.10.75 ASP-VAPP-01
access-list ethernet0 permit icmp any any
access-list ethernet0 remark Exchange Mail Transport
access-list ethernet0 permit tcp any host x.x.x.x eq smtp
access-list ethernet0 remark Outlook Web Access
access-list ethernet0 permit tcp any host x.x.x.x eq www
access-list ethernet0 remark SSL Connection for Outlook Web Access
access-list ethernet0 permit tcp any host x.x.x.x eq https
access-list ethernet0 remark Exchange IMAP4 SSL Connection
access-list ethernet0 permit tcp any host x.x.x.x eq 993
access-list ethernet0 remark RDP to COMServer1
access-list ethernet0 permit tcp any host x.x.x.x eq 3389
access-list ethernet0 remark Teamspeak Server Connection Ports
access-list ethernet0 permit udp any host x.x.x.x range 8767 8800
access-list ethernet0 remark VENT PORT
access-list ethernet0 permit tcp any host x.x.x.x eq 4700
access-list ethernet0 remark Vent Ports
access-list ethernet0 permit tcp any host x.x.x.x range 3783 3800
access-list ethernet0 remark Vent Server Ports
access-list ethernet0 permit udp any host x.x.x.x range 3783 3800
access-list ethernet0 remark Teamspeak Server Web Administration Interface
access-list ethernet0 permit tcp any host x.x.x.x eq 14534
access-list ethernet0 remark TCP Shoutcast
access-list ethernet0 permit tcp any host x.x.x.x range 8500 8501
access-list ethernet0 remark UDP Shoutcast
access-list ethernet0 permit udp any host x.x.x.x range 8500 8501
access-list ethernet0 remark SQL Query Port
access-list ethernet0 permit tcp any host x.x.x.x eq 51234
access-list ethernet0 remark App Server RDP Connection
access-list ethernet0 permit tcp any host x.x.x.x eq 3389
access-list ethernet0 remark FTP Site Access
access-list ethernet0 permit tcp any host x.x.x.x eq ftp
access-list ethernet0 permit tcp any host x.x.x.x eq 3389
access-list ethernet0 remark www.xxxx.com
access-list ethernet0 permit tcp any host x.x.x.x eq www
access-list ethernet0 remark mySQL Connection
access-list ethernet0 permit tcp any host x.x.x.x eq 3306
access-list ethernet0 remark SSH
access-list ethernet0 permit tcp any host x.x.x.x eq ssh
access-list ethernet0 remark Webmin
access-list ethernet0 permit tcp any host x.x.x.x eq 10000
access-list ethernet0 remark RDP Access
access-list ethernet0 permit tcp any host x.x.x.x eq 3389
access-list ethernet0 remark http access
access-list ethernet0 permit tcp any host x.x.x.x eq www
access-list ethernet0 remark secure http access
access-list ethernet0 permit tcp any host x.x.x.x  eq https
access-list ethernet0 remark RDP Access
access-list ethernet0 permit tcp any host x.x.x.xeq 3389
access-list inside_outbound_nat0_acl permit ip any VPN_Clients 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_Clients 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside 10.255.255.1 255.255.0.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN1 172.16.0.1-172.16.0.25 mask 255.255.255.0
pdm location CSL-APP-Server 255.255.255.255 inside
pdm location CSL-DEV-1 255.255.255.255 inside
pdm location VPN_Clients 255.255.0.0 outside
pdm location VPN_Clients 255.255.255.0 outside
pdm location 172.16.20.0 255.255.255.0 inside
pdm location 10.254.1.0 255.255.255.0 inside
pdm location 10.254.2.0 255.255.255.0 inside
pdm location 10.254.3.0 255.255.255.0 inside
pdm location 172.30.1.0 255.255.255.0 inside
pdm location 172.30.2.0 255.255.255.0 inside
pdm location 192.168.100.0 255.255.255.0 inside
pdm location NI-FS1 255.255.255.255 inside
pdm location NI-TS-01 255.255.255.255 inside
pdm location ASP-VEX-01 255.255.255.255 inside
pdm location COMServer1 255.255.255.255 inside
pdm location CSL-Web-1 255.255.255.255 inside
pdm location ASP-VAPP-01 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.x ftp NI-FS1 ftp netmask 255.255.255.255
0 0
static (inside,outside) tcp x.x.x.x 3389 ASP-VAPP-01 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) x.x.x.x COMServer1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x ASP-VEX-01 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x CSL-APP-Server netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x CSL-Web-1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x CSL-DEV-1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x NI-TS-01 netmask 255.255.255.255 0 0
access-group ethernet0 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.254.1.0 255.255.255.0 10.255.255.254 1
route inside 10.254.2.0 255.255.255.0 10.255.255.254 1
route inside 10.254.3.0 255.255.255.0 10.255.255.254 1
route inside 172.30.1.0 255.255.255.0 10.255.255.254 1
route inside 172.30.2.0 255.255.255.0 10.255.255.254 1
route inside 192.168.100.0 255.255.255.0 10.255.255.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.255.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Velocity-ASP_Admins address-pool VPN1
vpngroup Velocity-ASP_Admins dns-server 10.10.0.10 10.10.0.11
vpngroup Velocity-ASP_Admins default-domain newimagent.local
vpngroup Velocity-ASP_Admins idle-time 1800
vpngroup Velocity-ASP_Admins password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:345cce28fbde004b2fcd42ba28a10ed4
: end
PIX1#
0
 
Galtar99Commented:
I read somewhere that there's a bug in 6.3(4) of the PIX that it resets the TTL.  Try 6.3(5), it should be fixed.
0
 
Galtar99Commented:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Did some more reading, this is by design in PIX <7.0.

This output is an example of an outbound traceroute command through a PIX. Note that you do not see the inside interface of the PIX but do see the "near interfaces" of each router between the tracing device and the destination.
In PIX 7.0, if NAT is enabled, you are unable to see the IP addresses of the PIX interfaces and the real IP addresses of the intermediate hops. However, in PIX 7.0, NAT is not a must and can be disabled with the no nat-control  command. If the NAT rule is removed, you are able to see the real IP address, provided that the real IP address is a routeable one.

0
 
newimagentAuthor Commented:
that sucks, but it's good to know. Maybe it's time to play with something a little newer like an asa or juniper firewall.

thanks for the info!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now