Strange Firewall Issue

wasiimcisco · ‎08-06-2008

I have pix firewall 525 with IOS Version 8.0(3)

I have access-list applied both on inside and outside interface. Everything was working fine but today i m not able to ping firewall outside interface. only directly connected switches are able to ping firewall outside interface.

Firewall is configured for AAA server and authentication is working fine but firewall is not able to ping the AAA server.

ASDM and everything is working, only ping to the box is not working.

I have even allowed icmp any any on inside and outside interface.

Firewall is unable to reach the SNMP server. Server giving error unreachable.

Please see the attachement for configuration of firewall, plus logging at the end.

ASDM showing that the inside to outside traffic is denied by deny rule, though there is no deny rule even at the end of the access-list.

Why it is happening, Please help me out.

secureIT · ‎08-06-2008

I would suggest you to restart the firewall once. 90% problem will get resolved. Did you check whats the output of "show cpu usage", you can check the hit count of both the ACLs for icmp permit any any...

Pls restart and let me know..

regards

Rajesh P

dhananjoy chowdhury · ‎08-06-2008

do this,

"clear arp"

and

"clear conn"

wasiimcisco · ‎08-06-2008

DRDC-Srv-525-1(config)# sh cpu usage

CPU utilization for 5 seconds = 6%; 1 minute: 2%; 5 minutes: 1%

icmp hitcount is increasing whenever i try to ping.

i m also getting this error

DRDC-Srv-525-1(config)# %PIX-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

%PIX-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

i have restart the firewall now only console is working, unable to access the device via telnet or ssh.

secureIT · ‎08-07-2008

why dont you delete the ssh configuration & RSA keys and reconfigure... your loggs say fail to estabilsh ssh session because RSA host key retrieval failed..

regards

Rajesh

Fernando_Meza · ‎08-06-2008

Hi ..

in regards to "pings" to the firewall's interfaces You need to add

icmp permit any inside

icmp permit any outside

The ICMP entries you have included on the access-list allows pings traversing the firewall and not terminating on its interfaces

I hope it helps .. please rate helpful posts

Farrukh Haroon · ‎08-06-2008

Do the following:

Problem:

%PIX-3-106014: Deny inbound icmp src inside:172.28.36.4 dst inside:172.28.92.254 (type 8, code 0)

Fix:

same-security-traffic permit inter-interface

Problem:

%PIX-4-106023: Deny tcp src outside:172.28.92.226/2088 dst inside:172.28.36.32/23 by access-group "outside_acl" [0x0, 0x0]

Fix:

object-group service DRDC_server_ports tcp-udp

port-object eq 23

Also check your subnet masks on the firewall interface, ACL, object-group and route statements, it seems you have misconfigured some of them.

Aur bhai, Internet par configs post karnay sai pehlay passwords tou delete kardiya kurrou, khuda kai waastay :)

Regards

Farrukh