Ping not Happening

Unanswered Question
Feb 11th, 2007

I have 6 interfaces in mt PIX515 firewall,E0 is connected to the Internet through router.

E1 interface is assigned as 10.16.10.1 with 255.255.0.0,connected to a switch,in the same trusted network there is a Domino mail server,whose address is 10.16.10.5 with 255.255.0.0.

The E1 interface is connected to the fastethernet interface of teh router e0/0 whose address is 10.16.10.31 with 255.255.0.0.

The serial interface (whose Ip address is 172.16.1.1 with 255.255.255.252)is connected to the remote site serial interface of a router (whose IP address is 172.16.1.2 with 255.255.255.252)over leased line.

Fast ethernet interface of the remote router is aatache to teh switch whose IP address is 10.81.10.1 with 255.255.0.0.There are some users in the 10.81.10.0 network.

Routing in PIX:

route (outside) 0.0.0.0 0.0.0.0 Internet net router serial interface.

route (outside) 10.81.0.0 255.255.0.0 via 10.16.10.31

Local router :

Ip route 10.81.0.0 255.255.0.0 via 172.16.1.2 255.255.255.252

Remote router :

IP route 10.16.0.0 255.255.0.0 via 172.16.1.1 255.255.255.252

Domino Mail serevr :

route is added to reach the 10.81.0.0 network.

Issue:

The issue is we are able to PING the momino mail server from 10.81.0.0 network sometimes only,most of the time we are not able to ping teh domino server.Locally from router we are able to PING.

Router fastethernet port is attached to the 16 port of the switch,PIX firewall E1 interface is attched to the 17 th port of the Switch,Domino Mail server is connected to tehe 18th port.All these ports are the member of teh VLAN 5.

Please help me to resolve the issue.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Sun, 02/11/2007 - 20:31

What's the next hop IP for the 10.81.0.0 network pointing to on the Domino mail server? It s/b set to forward traffic destined for 10.81.0.0 network to 10.16.10.31.

Lavanholy Mon, 02/12/2007 - 19:58

Hi Sundar Palani,

Thanks . The next hop for the 10.81.12.0/16 network to reach the Domino Mail server which is in 10.16.10.0/16 (actual IP of the mail server is 10.16.10.5/16)is 10.81.13.1 /30

I hope i answered your question.

Thanks and Regards,

S.Venkataraman.

Jon Marshall Mon, 02/12/2007 - 00:21

Hi

I'm confused with your topology. You have a pix with an E0 interface (outside) that connects to a router with connects you to the internet.

You have an E1 interface which is connected to a trusted network on which you have a domino server and a router. Is this router a different router ?.

This router that connects to the trusted network - is this the one with the serial connection to your remote site.

What i'm trying to work out is the path taken from your remote site to the domino server. You have a route on the pix for the 10.81.0.0 network pointing to the outside.

Could you clarify the path.

As a side note, if you can ping sometimes but not others it could be a translation issue on the pix. If traffic from the remote site does come to the outside interface of the pix do you have a static transaltion setup for the domino server ?

Jon

Lavanholy Mon, 02/12/2007 - 20:46

Hi Jon,

Thanks.Yes you are right,I have one router for Internet which is connected to the E0 interface of the PIX.

Another router whose fastethernet is connected to a switch with the IP 10.16.10.31/16,the E1 interface of teh PIX ia also connected to the same switch with the IP 10.16.10.1/16,then there is a Domino Mail server whose IP is 10.16.10.5/16, is also in the same switch,all thse router fastethernet ,PIX E1 interface and the Domino mail server are the members of the VLAN 5.

Rounting in the ROUTER :

1. To reach teh 10.81.12.0/16 via 10.81.13.2/30 (Which is the remote route's serial interface IP which is at the remote site,this is teh third router)

Domino Mail Server.

To reach the 10.81.0.0/16 via PIX E 1 interface 10.16.10.1/16

Routing in the PIX:

To reach the 10.81.0.0/16 via 10.16.10.31/16 which is the local router's fastethernet interface.

Is it o.k,I hope I gave u the needed inputs.

And you are telling about the Translation set in teh PIX,What it is ,how to configure?Please help me to resolve this issue.

Thankls and Regards,

S.Venkataraman

Jon Marshall Tue, 02/13/2007 - 00:07

Hi

Why are you going via the pix to get to the remote end ?.

What version of code is the pix running. If it is 6.x then i don't think this will work as what is happening is this

1) The domino server tries to respond to a ping from the remote 10.81.0.0 network.

2) The route to this network is the pix E1 interface. The domino server sends this packet to the pix.

3) The pix looks up the route and sees it has to send it to 10.16.10.31 the fast ethernet interface of the router.

Trouble is the pix cannot route traffic back out an interface it has received traffic on, at least not prior to version 7.x.

So this will fail.

Why not point your route on the Domino server to the fast ethernet interface of the router (10.16.10.31 )rather than the pix E1 interface. ?

HTH

Jon

Lavanholy Tue, 02/13/2007 - 00:15

Hi Jon,

Thanks for the info.This is the same question I have raised with my engineer who is at the site,What he says is the reason for routing through the PIX is to keep the LOG.To see the incoming traffic.

I will check up the version if it is 6.X then I will suggest to upgrade to 7.X.Will it work?

O.k I will get back to you.

Thanks and Regards,

S.Venkataraman.

Jon Marshall Tue, 02/13/2007 - 00:23

Hi

With version 7.x the pix can route traffic back out of an interface it received it on. Be aware tho that v7.x is significantly different in configuration than 6.x and if you are running a Pix 515E you might need a memory upgrade.

If you have a Pix 501 or 506E you cannot run v7.x on this.

If you need to log the traffic you could create an access-list on your router that allows traffic to and from your domino server and logs it and then have a "permit ip any any" for all the other traffic.

Just a thought.

Jon

Lavanholy Tue, 02/13/2007 - 01:20

Hi JOn,

Thanks a lot,I will try this and let you know.

Best Regards,

S.Venkataraman.

Actions

This Discussion