Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

Routing Issue - Cisco

I have a situation where in one of my offices I have a Cisco 1751 and a Cisco Pix. The Pix has internet access and the 1751 is a T1.  There is a strange situation where I need to send traffic destined for one host through the pix.

The 1751 (10.75.2.1) is the gateway in the subnet.  Under normal instances all traffic goes through this 1751 box. There is a tracker that sends traffic through an IPSEC tunnel on the Pix if the T1 is down. This part all works fine I am just telling you this so you have some context.

The pix is 10.75.2.2 - I can log into that pix and ping my address I am trying to create a route for no problem (lets say 1.1.1.1). I have defined in the 1751 a route which looks like this.

IP ROUTE 1.1.1.1 255.255.255.255 10.75.2.2

And there are two additional routes in this 1751 router...
IP ROUTE 0.0.0.0 0.0.0.0 2.2.2.2 track 10 (this is the tracker we are using and means default is to go over the T1)
IP ROUTE 0.0.0.0 0.0.0.0 10.75.2.2 200 (this is the secondary route to send traffic to the PIX if the T1 is down)

My question is this... I cannot seem to get the pix to show up when I do a traceroute in the 1751 to this 1.1.1.1 address - and I cannot ping 1.1.1.1 either.  If I take the route off that sends teh traffic to 10.75.2.2 then the ping works but this sends the traffic through my default gateway. I cannot understand why if the pix can ping 1.1.1.1 any my 1751 gateway has a route to get to 1.1.1.1 it needs to go to the pix - that my 1751 cannot ping the 1.1.1.1 address...

HELP!
0
NTGuru705
Asked:
NTGuru705
  • 9
  • 8
  • 2
1 Solution
 
btassureCommented:
Can you post configs of the PIX and the router please? Remove any passwords or live IPs!
0
 
JFrederick29Commented:
It may simply be that the PIX is not allowing ICMP replies.

If you have an access-list applied to the outside interface make sure to include this:

For example:

access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in in interface outside
0
 
NTGuru705Author Commented:
PIX CONFIG
=====================================
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123 encrypted
passwd 123 encrypted
hostname CedarRapids-Pix
domain-name mycompany.com
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list ipsec permit ip 10.75.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat permit ip 10.75.2.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging on
logging timestamp
logging monitor warnings
logging buffered warnings
logging trap warnings
logging history warnings
logging queue 100
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.75.2.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.1.1.200 source inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map dynmap 10 ipsec-isakmp
crypto map dynmap 10 match address ipsec
crypto map dynmap 10 set peer me.me.me.me
crypto map dynmap 10 set transform-set myset
crypto map dynmap interface outside
isakmp enable outside
isakmp key ******** address me.me.me.me netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:515657131f024f65043d72ca460f48c1
: end
CedarRapids-Pix#
====================================

ROUTER
====================================
Building configuration...

Current configuration : 1587 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CedarRapids
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 123
!
no aaa new-model
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
ip cef
ip sla monitor 1
 type echo protocol ipIcmpEcho 63.252.28.153 source-ipaddr 63.252.28.154
 tos 160
 timeout 2000
 tag MPLS-MONITOR
 frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
track 10 rtr 1
 delay down 5 up 5
!
class-map match-all CLASS-EF-QOS
 match access-group 101
class-map match-all CLASS-SET-DSCP-EF
 match access-group 100
!
!
policy-map T1-QOS
 class CLASS-EF-QOS
  priority 128
policy-map POLICY-SET-DSCP-EF
 class CLASS-SET-DSCP-EF
  set dscp ef
!
!
!
interface Loopback0
 ip address 10.75.1.99 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.75.2.1 255.255.255.0
 ip helper-address 10.1.1.206
 speed auto
 full-duplex
 service-policy input POLICY-SET-DSCP-EF
!
interface Serial0/0
 ip address 63.252.28.154 255.255.255.252
 encapsulation ppp
 service-module t1 timeslots 1-24
 service-policy output T1-QOS
!
ip route 0.0.0.0 0.0.0.0 63.252.28.153 track 10
ip route 0.0.0.0 0.0.0.0 10.75.2.2 200
ip route 216.10.240.54 255.255.255.255 10.75.2.2
no ip http server
!
!
!
access-list 100 permit ip host 10.75.2.6 any
access-list 101 permit ip any any dscp ef
!
!
!
control-plane
!
!
line con 0
line aux 0
 modem InOut
 transport input all
 speed 57600
line vty 0 4
 password 123
 login
!
end

CedarRapids#
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
JFrederick29Commented:
Okay, add this to the PIX:

access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-group outside_access_in in interface outside

You should be able to ping 1.1.1.1 afterwards.
0
 
btassureCommented:
Bah. Beat me to it!
0
 
NTGuru705Author Commented:
I should say in the instance above 216.10.240.54 is the IP I am trying to get to...
0
 
NTGuru705Author Commented:
That did it.. now help me understand why?
0
 
JFrederick29Commented:
Yeah, I figured <8-]

Anyway, the ICMP rules allow any IP on the Internet to reply.
0
 
NTGuru705Author Commented:
I had this..

access-list acl_out permit icmp any any
0
 
JFrederick29Commented:
The PIX by default blocks ICMP replies from the outside/Internet even though it allows the TCP/UDP return traffic (yeah, its silly).  So, connectivity was there all along, the PIX was simply blocking ICMP.
0
 
NTGuru705Author Commented:
Also why doenst the pix show up on my traceroute from my 1751?
Thanks
0
 
JFrederick29Commented:
>I had this..

access-list acl_out permit icmp any any

Yeah, but it wasn't applied to the interface with the "access-group" command.
0
 
NTGuru705Author Commented:
JF - I had this
0
 
NTGuru705Author Commented:
access-list acl_out permit icmp any any
0
 
JFrederick29Commented:
>Also why doenst the pix show up on my traceroute from my 1751?

A PIX by default doesn't appear as a hop in the traceroute.  It "stealths" itself for a little added security (not really).  In later versions of code you can make it decrement the TTL (make it appear in a traceroute).
0
 
NTGuru705Author Commented:
Ahh... I see so if I just added it then it would work the way I had it before?
Also strange that I have ALWAYS been able to ping the outside interface from another host? So why was that?
0
 
JFrederick29Commented:
In summary:

>That did it.. now help me understand why?
The PIX by default blocks ICMP replies from the outside/Internet even though it allows the TCP/UDP return traffic (yeah, its silly).  So, connectivity was there all along, the PIX was simply blocking ICMP.

>I had this..
access-list acl_out permit icmp any any
Yeah, but it wasn't applied to the interface with the "access-group" command.

>Also why doenst the pix show up on my traceroute from my 1751?
A PIX by default doesn't appear as a hop in the traceroute.  It "stealths" itself for a little added security (not really).  In later versions of code you can make it decrement the TTL (make it appear in a traceroute).
0
 
JFrederick29Commented:
>Also strange that I have ALWAYS been able to ping the outside interface from another host? So why was that?

The PIX interfaces are treated differently.  Pinging the PIX itself doesn't use the interface access-lists.  Use the "icmp permit or icmp deny" commands to block/permit ICMP to itself.  By default, all interfaces reply to ICMP.
0
 
NTGuru705Author Commented:
awesome.. I just applied the acl_out to the interface and that fixed it.
Thanks for your help..!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 9
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now