12-17-2009 05:40 AM - edited 03-04-2019 07:00 AM
Hi there i van trouble connecting with a remote computer. Attached is the case i have. From Firewall B tot Computer A i can Ping en connect freely. But everthing behind the Firewall B is not able to ping computer A. Anyone have some pointers?
A traceroute to ip 10.60.46.46 from Computer B stops at 10.100.50.2 Router A outside interface. Strange.
See attachment.
Gregory
12-17-2009 05:42 AM
Can you post firewall config ?
12-17-2009 05:50 AM
yes this is the config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 fo security20
enable password ODFL.6T0XAcuRi.o encrypted
passwd 0MOMg9hxBtXB/QMw encrypted
hostname Firewall_B
domain-name
clock timezone
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.201 Printer_Laserjet
access-list outside_access_in remark
access-list outside_access_in permit ip any any
pager lines 24
logging timestamp
logging trap debugging
logging host inside 10.10.10.12
mtu outside 1500
mtu inside 1500
mtu fo 1500
ip address outside 10.10.20.2 255.255.255.0
ip address inside 10.10.10.2 255.255.255.0
ip address fo 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 10.10.20.3
failover ip address inside 10.10.10.3
failover ip address fo 192.168.1.2
failover link fo
failover lan unit primary
failover lan interface fo
failover lan key ********
failover lan enable
pdm location Printer_Laserjet 255.255.255.255 inside
pdm location 10.10.10.1 255.255.255.255 inside
pdm location 10.10.20.1 255.255.255.255 inside
pdm location 10.10.20.1 255.255.255.255 fo
pdm location 10.10.10.211 255.255.255.255 inside
pdm location 10.10.10.209 255.255.255.255 inside
pdm location 10.10.10.12 255.255.255.255 inside
pdm location 10.60.46.0 255.255.255.0 outside
pdm location 10.60.46.0 255.255.255.0 inside
pdm location 10.10.10.213 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 10.10.20.50-10.10.20.254 netmask 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.20.4 10.10.10.1 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.20.5 10.10.10.211 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
router ospf 1
network 10.10.10.0 255.255.255.0 area 0
network 10.10.20.0 255.255.255.0 area 0
log-adj-changes
route outside 0.0.0.0 0.0.0.0 10.10.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.20.1 255.255.255.255 inside
telnet 10.10.10.211 255.255.255.255 inside
telnet 10.10.10.213 255.255.255.255 inside
telnet 10.10.20.1 255.255.255.255 fo
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d61fcefdac53f26fa0b4887019131127
: end
saturn#
12-17-2009 06:00 AM
thanks.
Sorry should have asked for these as well
1) "sh route" from the firewall
2) "sh ip route" from router A & B.
Presumably you have checked 10.60.46.46 to make sure it does not have a firewall running that is blocking the ICMP ?
Also what is the subnet mask of 10.60.46.46 because from your diagram it's default-gateway on router A is 10.60.0.9 so is the subnet mask 255.255.0.0 ?
Jon
12-17-2009 06:30 AM
12-17-2009 07:25 AM
Gregory
I can't see anything wrong with the routing or the config of the firewalls. I'm assuming you don't have acls on the routers that might be blocking this ?
We may need to do some debugging but is it a production setup and how busy is the firewall ?
Jon
12-17-2009 07:45 AM
Jon,
Its a production setup. Not busy but important (need 100% uptime). I have several connections from router B to different but networks which work fine. The thing is when i do a tracerout from computer B the packet goes al the way to Router A outside interface. So my guess is there migth be something that is preventing the packet to reach 10.60.46.46. What confuses me is that everything outside of the firewall gets to 10.60.46.46 with no problem at all. Is there something special you need to do when using NAT ip adrresses when Using OSPF I assume When Router A receive the packet from Computer B on the interface with Ip address 10.100.50.2 it doesn't deliver it the 10.60.46.46 but drops the packet i guess.
So there must me something with the NAT addresses i think, but what?
12-17-2009 08:15 AM
gregory.taiapin wrote:
Jon,
Its a production setup. Not busy but important (need 100% uptime). I have several connections from router B to different but networks which work fine. The thing is when i do a tracerout from computer B the packet goes al the way to Router A outside interface. So my guess is there migth be something that is preventing the packet to reach 10.60.46.46. What confuses me is that everything outside of the firewall gets to 10.60.46.46 with no problem at all. Is there something special you need to do when using NAT ip adrresses when Using OSPF I assume When Router A receive the packet from Computer B on the interface with Ip address 10.100.50.2 it doesn't deliver it the 10.60.46.46 but drops the packet i guess.
So there must me something with the NAT addresses i think, but what?
That's the thing though. Router A knows about the 10.10.20.x network. Actually it also knows about the 10.10.10.x network.
Can you try pinging and tracerouting from 10.60.46.46. to 10.10.20.4 and post results.
Other than that we can try some debugging on the firewall ie.
debug packet outside dst 10.60.46.46
debug packet outside src 10.60.46.46
the above would show you packets leaving the outside interface going to 10.60.46.46 and those returning. To turn therm off just
no debug packet outside dst 10.60.46.46
no debug packet outside src 10.60.46.46
but as i say you do need to be careful with debugging.
Jon
12-17-2009 08:30 AM
Jon,
I will do a debug later today and will let you know. Thanks for the help so far.
12-17-2009 11:12 AM
12-17-2009 02:06 PM
Gregory
What debug command did you use to get this output ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: