cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1187
Views
5
Helpful
13
Replies

How to PING between ASA and PIX Firewall through DMZ interface

virgoboy009
Level 1
Level 1

Hello GS,

I have two Firewalls ( PIX and ASA ) connected each with a Router  which is connected to ISP.

I am looking to have Failover over between these two Firewalls so that internet traffic should auto

divert when one of the ISP fails.

I am struck at the following points -

1) I have connected PIX  and ASA using DMZ4 and DMZ1 respectively using same security and ICMP allowed on both FW.

But i am still not able to PING between them.

2) ASA FW which is connected to Internet facing router has been used as primary internet and backup Internet will be PIX FW which is facing towards another ISP..

Hence i wanted to know what all comands( NAT/routing) i should use at ASA so that when priamay ISP link down it should divert to Secondary ISP.

Currently Tracking is only configured towards priamry ISP end Ip address and still not towards Secondary ISP. hence my query is

should i point my tracking as secondary ISP FW or my next PIX outside IP .

Thanks for your all advise and posts.

Regards,

KA.

13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

1) How is ASA DMZ4 and PIX DMZ1 connected? are they in  the same subnet? What are their ip addresses? "show run interface" from both PIX and ASA would be great.

How are you trying to ping each other? I assume that you are either connected directly to the ASA or PIX, and just try to ping each others directly connected interface? Please also include "sh run icmp" from both PIX and ASA.

2) You would only need to configure tracking towards your primary ISP because you would like to track when it is down, and configure the PIX DMZ1 as the default gateway through ASA DMZ4 interface.

Hope that helps a bit.

Hello Halijenn,

Thanks for your reply.

Please find the scenario below-

Internal-10.0.0.0

                   (172.16.200.X)

Coreswitch ----------------- -------PIX 535Firewall  ----------- ISP PIX FW ----ISP Router ----------ISP A Internet Cloud of  10MB

     |                                          |DMZ1       |ethernet4( dmz4)

     |              DMZ Switch --Proxy1/2         | 192.168.4.2

     |                192.168.1.x         |              | 192.168.4.1

      |                   (inside)            |gi 0/1      | gi 0/2 ( DMZ1)

      |------------------------------ ----  ASA 5520Firewall---- Router  ----------Directly connected to the ISP B of  20MB .

Here ISP A  was palced with their own FW and Router  at our palced as they were the  Sub ISP of another ISP and they follow this standard.

We have been  using 20mb (ISP B) internet as our primary connection and looking  forward to know how do the User internet traffic auto divert to

ISP A 10MB  with the help of tracking or any other configuration beween ASA and PIX  FW.

Note  : all PCs access internet using Proxy connection which is placed at DMZ 1  Zone of PIX FW .

We  have two proxies configured with virtual IP and at one point of time  only one Proxy can be active.

1. Both PIX eth4 is connected to ASA Gi 0/2 with  192.168.4.X ip range.

2. ICMP permit any DMZ4 has been allowed on PIX and ICMP permit any DMZ1 on ASA , but when i run packet tracer i see that

it is being blocked by the default implicit rule of ASA FW  DMZ1 incoming  any any ip deny.

3. when i connect dirctly my laptop assigned to the ASA i am able to ping to ASA using only my laptop ip 192.168.4.2/24.

so  i guess still some access-list is blocking the PING. but on both FW i allowed

access-list acl_dmz4 line 2 permit ip dmz4 any - PIX

access-list acl_dmz4 line 2 permit icmp dmz4 any -pix

Would you please suggest the commands ?

Thanks and Regards,

KA.

Not too sure how you have tested point 2) and point 3).

You mention that you have configured your laptop ip address with 192.168.4.2 which is the PIX DMZ4 interface IP. So with the same ip address whether it's assigned to the PIX or the laptop, you should be able to ping the ASA DMZ1 interface as they are in the same subnet.

When you reassigned 192.168.4.2 to the PIX DMZ4 interface, did you "clear arp" on all devices (especially the PIX and ASA)?

Where are you actually trying to ping from when you are seeing ACL denies? If you are pinging to and from the PIX or the ASA itself, and pinging interface on the PIX or the ASA itself, it wouldn't even look at the interface ACL. That is why i don't quite understand where you are trying to ping from and to.

Lastly, from the proxy server's perspective, it would not know when ISP 1 is down, so it would still send traffic towards its default gateway which I believe it is being configured as the ASA at this point. This will cause asymmetric routing when ISP 1 is down which is not a supported design as far as firewall is concern.

With the current design, the following will occur when ISP 1 is down:

1) Proxy server sends SYN packet towards ASA, ASA will redirect the SYN packet towards PIX.

2) SYN-ACK packet will go directly towards the proxy server as they are in the same subnet.

3) ACK from proxy server will still be sent towards the ASA because it is its default gateway, and since ASA never saw the SYN-ACK packet, it will drop the ACK and the TCP connection because firewall inspects for stateful connection.

1. I have connected the other end cross cable of ASA gi 0/2 ( DMZ1) to  to my laptop  and assigned the same ip address( 192.168.4.2) which is been used at

the PIX FW Etho ( DMZ4) just to ensure the Cross cable functioning proprely.

So during this activity I was able to ping pnly from PC to ASA and not from ASA to PC.

"I have remvoed the cable which is connected  from ASA to PIX  at the PIX end and connected the same cable to my PC just ensure  it is physically connected ".

2.Would you suggest what all commands required to PING from ASA to PIX on directly connected DMZ ports.

3. My Primay ISP has been used as ASA ..facing towards internet  and we have already placed an tracking  with command to track 1 as next hop of ASA FW ( 195.X.X.1) and track the ISP end IP addrss of 83.x.x.153

now i want to configure second tracking towards my PIX ip so that traffic should divert auto. hence would like to know which would i needed to be tracked?

Please refer the diagram for more clarity.

I coudnt get your below comments ..can you please again.

With the current design, the following will occur when ISP 1 is down:

1)  Proxy server sends SYN packet towards ASA, ASA will redirect the SYN  packet towards PIX.

2) SYN-ACK packet will go directly towards the  proxy server as they are in the same subnet.

3) ACK from proxy  server will still be sent towards the ASA because it is its default  gateway, and since ASA never saw the SYN-ACK packet, it will drop the  ACK and the TCP connection because firewall inspects for stateful  connection.

My Current Proxy is currently pointed towards the Outisde ip add of ASA FW and we are thinking if do tracking to pix FW with a higher metirc it would  divert traffic automatically...Please let me know why it wont happen?

I think that traffic from Secondary ISP wil come to PIX and then goes via DMZ interface back to the ASA and then to the Proxy ...from there to the users.

Proxy will not be knowning change of ISP connection.

I donot know whether i am telling correct .....or not .

Regrds,

KA.

For Your Proxy sync-ack packet query ....I would like to tell you that

ASA Gi0/2 (named DMZ1 )  ----- to PIX etho ( DMZ4 named ) are in the 192.168.4.x subnet.

currently proxy is in the 192.168.1.x subnet  which PIX FW DMZ1 subnet .

Also ASA FW inside ( loggically connected i.e bluecoat connected to DMZ1 ) to DMZ1 switch .

So can you let me know still the return traffic will go to proxy directly from PIX to Proxy instead of ASA.

Regards,

KA.

2.All you needed to ping the interfaces are "icmp permit any DMZ1" on ASA, and "icmp permit any DMZ4" on PIX. As advised, it doesn't seem to be configuration issue, but more an ARP issue. Hence "clear arp".

3. With the tracking feature, only the ASA itself will know about ISP1 being down. No other devices will know about ISP1 being down. Hence all internal traffic will still be routed towards the ASA, and ASA will route the traffic through its new default gateway, ie: ISP2.

The tracking feature is only locally significant on the ASA itself.

Further to that, I don't understand your statement "My Current Proxy is currently pointed towards the Outisde ip add of ASA  FW" since you mention that your proxy is in the 192.168.1.x subnet, how would it point towards the outside ip of the ASA? What is the actual default gateway of the proxy server? Base on the description, I assume it is the ASA inside interface in 192.168.1.x subnet.

Today morning after setting up icmp permit 192.168.4.0 255.255.255.0 dmz4 & icmp deny any dmz4 on PIX FW

I was able to communicate between both FW.

1.Regarding your reply to the Proxy pointing towards Internal ip of ASA which is under the subnet of 192.168.1.X was absolutely right and sorry as

i was wrong .

2.  Now i am lokking to forward to know where all Global NAT is required   as per my understanding we need on both FW

PIX FW -

Global ( outside) 1 213.x.x.149 mask 255.255.255.240  ( existing commands for PAT)
Global ( DMZ4) 1 192.168.4.1 mask 255.255.255.0 ( new command to )
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ( existing command for inside network to access internet)


ASA FW -

Looking to know how to do nat here .

MY sincere thanks for your help on this and i am planning to implement this change tomorrow.

Regards,
KA.



The only way to achieve this is to remove PIX DMZ1 interface. Do you have a need to have PIX DMZ1 interface connected to the inside network? If you don't then it should work if all inside connection is still getting routed to the ASA even when ISP1 is down.

On ASA firewall:

static (inside,DMZ1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

On PIX firewall:

nat (DMZ4) 1 0 0

route DMZ4 192.168.1.0 255.255.255.0 192.168.4.1

Please remove this from PIX firewall:

Global ( DMZ4) 1 192.168.4.1 mask 255.255.255.0

I can not remove the DMZ1 interface of PIX as all my servers are palced in DMZ1 subnet.

Regards,

KA.

Is PIX the default gateway for all your servers, or the ASA is the default gateway?

Yes Inbound/outbound access of servers happnes through this PIX FW whicis connected to our Secondary link.

All servers located in DMZ are accessed from outisde using this secondary link .All the exchange traffic/patch update of server traffic use this

PIX FW connected seconfdary link.

Source based NAT happend for all my servers in PIX and also return traficc from internet also configured on this PIX .

PIX FW  NAT -

global (outside) 1 213.X.X.149  ( it s public IP used by us)
nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0  ( will be new command i am planning to use and all others are existing commands)
nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list noNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

ASA Config

Global (DMZ1) 2 interface

nat ( DMZ1) 2 0.0.0.0 0.0.0.0 0 0

backup route 0.0.0.0 0.0.0.0 192.168.4.1 20 ( 20 metric  configured from GUI)

do i need any further  route from NAT inside/DMZ to PIX FW outisde ?

Highly appreciate all your posts.

Regards,

KA.

I am getting more confused with all the description now.

So all servers inbound and outbound access is via PIX firewall, and all other hosts inbound and outbound access is currently via ASA firewall?

Are they all in the same subnet, or servers are in different subnet than all other hosts?

What is the default gateway for all the other hosts?

Hello,

Finally my issuse has been resolved and and auto failover working fine now.

PIX FW  NAT -

global (outside) 1 213.X.X.149  ( it s public IP  used by us)
nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0  ( will be new command i  am planning to use and all others are existing commands)
nat (dmz3) 1  0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
nat (inside)  0 access-list noNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

& Access-list has been implemented to allow DMZ4 traffic.

ASA Config

Global  (outside) 1 interface

Global  (DMZ1) 1 interface

nat ( DMZ1) 1 0.0.0.0 0.0.0.0 0 0

nat ( inside) 1 0.0.0.0 0.0.0.0 0 0

backup route  0.0.0.0 0.0.0.0 192.168.4.1 20 ( 20 metric  configured from GUI)

So when  i shut the outisde int of ASA FW , tracking comes in place and backup is route is shown in ASA FW and

Internet traffic liveraging through  PIX FW Internet connected ISP.

My SIncere thanks for helping me through out this .

Regards,

KA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: