11-16-2009 09:59 PM - edited 03-11-2019 09:40 AM
Hi Guys,
A basic firewall issue-network topology is as follows-
R1-PIX-R2
R1 config-
interface Loopback 0
ip address 192.168.1.1 255.255.255.0
!
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
R2 config-
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
!
interface fastethernet 0/0
ip address 10.2.2.2 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 10.2.2.1
!
PIX config in router mode-
interface e0
nameif inside
ip address 10.1.1.2 255.255.255.0
security-level 100
!
interface e1
nameif outside
ip address 10.2.2.1 255.255.255.0
security-level 0
!
route outside 0.0.0.0 0.0.0.0 10.2.2.2
route inside 192.168.1.0 255.255.255.0 10.1.1.1
!
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
!
access-group 101 in interface outside
!
Now, the issue is I CANNOT ping between R1 & R2. However, I can ping from PIX to each device.
Any help would be appreciated.
Regards,
Amit.
11-17-2009 01:22 AM
what version of the code are you running.
11-17-2009 01:38 AM
PIX OS version 8.04
11-17-2009 01:42 AM
config looks good, anything showing up in the logs ?
11-20-2009 11:17 AM
Try this.
policy-map global_policy
class inspection_default
inspect icmp
11-22-2009 03:38 PM
Hi Suresh,
I have tried that too- applying the policy-map globally.
However, I should mention that this lab was run on GNS3. I have tried it on two different computers with same config and I have to say that I have reached a breakthrough.
I have been able to ping between two routers through the firewall in both, routed and transparent, modes. But this is only possible if I increase the timeout value to almost 20 seconds. I have even run OSPF on and through the firewall.
My next questions would be- on a real PIX firewall, does it take too long for interesting traffic to pass through it? How do OSPF and other routing protocols manage to keep the adjacency UP if packets take too long to reach between connected devices? In my case, OSPF adjacency was flapping. But perhaps I can blame it to the CPU resources of the PC.
Regards,
Amit.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: