cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
0
Helpful
5
Replies

Basic PIX firewalling

amit.bhagat
Level 1
Level 1

Hi Guys,

A basic firewall issue-network topology is as follows-

R1-PIX-R2

R1 config-

interface Loopback 0

ip address 192.168.1.1 255.255.255.0

!

interface fastethernet 0/0

ip address 10.1.1.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.1.1.2

!

R2 config-

interface Loopback 0

ip address 1.1.1.1 255.255.255.255

!

interface fastethernet 0/0

ip address 10.2.2.2 255.255.255.0

!

ip route 192.168.1.0 255.255.255.0 10.2.2.1

!

PIX config in router mode-

interface e0

nameif inside

ip address 10.1.1.2 255.255.255.0

security-level 100

!

interface e1

nameif outside

ip address 10.2.2.1 255.255.255.0

security-level 0

!

route outside 0.0.0.0 0.0.0.0 10.2.2.2

route inside 192.168.1.0 255.255.255.0 10.1.1.1

!

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any unreachable

!

access-group 101 in interface outside

!

Now, the issue is I CANNOT ping between R1 & R2. However, I can ping from PIX to each device.

Any help would be appreciated.

Regards,

Amit.

5 Replies 5

what version of the code are you running.

PIX OS version 8.04

config looks good, anything showing up in the logs ?

Try this.

policy-map global_policy
class inspection_default

  inspect icmp

Hi Suresh,

I have tried that too- applying the policy-map globally.

However, I should mention that this lab was run on GNS3. I have tried it on two different computers with same config and I have to say that I have reached a breakthrough.

I have been able to ping between two routers through the firewall in both, routed and transparent, modes. But this is only possible if I increase the timeout value to almost 20 seconds. I have even run OSPF on and through the firewall.

My next questions would be- on a real PIX firewall, does it take too long for interesting traffic to pass through it? How do OSPF and other routing protocols manage to keep the adjacency UP if packets take too long to reach between connected devices? In my case, OSPF adjacency was flapping. But perhaps I can blame it to the CPU resources of the PC.

Regards,

Amit.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: