Can't ping through the PIX

cameronjohn · ‎04-05-2008

Hi,

I have a cisco PIX 515E.

I have 6 interfaces.

Off one of the interfaces is a cisco 871 router which i have setup to act as a gateway to access another network.

The internal interface sec level 100

The cisco_router interface sec level 80.

From the cisco 172.16.16.2 internal interface I cannot ping anything on the internal LAN.

I am allowing traffic from the internal lan to communicate to the 172.16.16.0 network via an ACL.

I am allowing the traffic from the 172.16.16.0 range to access the internal network by allowing in an ACL into this interface.

I have setup icmp permit any cisco_Inside on the pix

I have setup a capture on this interface and can see matches from 172.16.16.2 going to the the internal machine (It resolves a name as well) but nothing back.

I have setup a capture on the internal lan interface and cannot see matches sending back or replying to the 172.16.16.0 subnet. So it's not even getting there.

I do not have access to troubleshoot from the internal lan which makes it hard.

I have a route on the cisco 871 to route to the internal range via the connecting interface on the pix but trace routes timeout first hop.

From the pix I can ping the 172.16.16.2 interface on the cisco 871.

Does anyone have any ideas why I can't ping.

Will post cofigs if needed.

thanks,

John

sundar.palaniappan · ‎04-05-2008

John,

A few questions for you.

1. Is nat-control enabled in the firewall? If it is can you post the nat or static configuration?

2. Does your internal network know how to to route to 172.16.16.0/24 or whatever address you may be translating to on the PIX?

3. Have you applied an access list on the inside interface?

If it's possible post a sanitized copy of the PIX configuration.

HTH

Sundar

cameronjohn · ‎04-05-2008

Hi Sundar,

I worked it out by doing:

static (inside,Gal_Inside) 10.4.3.205 10.4.3.205 netmask 255.255.255.255 otherwise known as transparent static translation.

However my setup is complex. I am using the cisco router to do natting to the 10.4.3.205 ip which sits behind the pix inside interface.

I am natting this internal ip 10.4.3.205 to the external range of the cisco 871 router which is 10.57.59.195 (This range connects to the pix 10.157.59.194 interface)

ip nat inside source static 10.4.3.205 10.57.59.195

I then will terminate an ipsec vpn from a third party to the pix. Traffic from the third party will then route to the cisco 10.57.59.193/27 interface and then hopefully translate the 10.57.59.195 address to the internal ip 10.4.3.205.

This setup would work on a cisco router but the pix is a different beast.

What do you think my chances of success are?

I can get to the internet from the cisco router so nat outbound works fine.

Thanks,

John

sundar.palaniappan · ‎04-06-2008

John,

I am not sure I have understood your setup correctly.

However, I believe what you are describing would work without VPN. You can translate on both the 871 and PIX and it would work just fine. But, if you expect traffic to 10.57.59.195 come through the VPN tunnel, which terminates on the PIX outside, but expect translation for that to be done on the 871 then it wouldn't work as the 871 would be a pass-through device in the IPSEC path.

There's a good chance that I may have misunderstood your setup and in which case can you post a sanitized copy of the PIX and 871 configuration and that would make it much easier to say anything for sure.

HTH

Sundar