Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic PIX firewalling

Hi Guys,

A basic firewall issue-network topology is as follows-

R1-PIX-R2

R1 config-

interface Loopback 0

ip address 192.168.1.1 255.255.255.0

!

interface fastethernet 0/0

ip address 10.1.1.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.1.1.2

!

R2 config-

interface Loopback 0

ip address 1.1.1.1 255.255.255.255

!

interface fastethernet 0/0

ip address 10.2.2.2 255.255.255.0

!

ip route 192.168.1.0 255.255.255.0 10.2.2.1

!

PIX config in router mode-

interface e0

nameif inside

ip address 10.1.1.2 255.255.255.0

security-level 100

!

interface e1

nameif outside

ip address 10.2.2.1 255.255.255.0

security-level 0

!

route outside 0.0.0.0 0.0.0.0 10.2.2.2

route inside 192.168.1.0 255.255.255.0 10.1.1.1

!

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any unreachable

!

access-group 101 in interface outside

!

Now, the issue is I CANNOT ping between R1 & R2. However, I can ping from PIX to each device.

Any help would be appreciated.

Regards,

Amit.

5 REPLIES

Re: Basic PIX firewalling

what version of the code are you running.

New Member

Re: Basic PIX firewalling

PIX OS version 8.04

Re: Basic PIX firewalling

config looks good, anything showing up in the logs ?

New Member

Re: Basic PIX firewalling

Try this.

policy-map global_policy
class inspection_default

  inspect icmp

New Member

Re: Basic PIX firewalling

Hi Suresh,

I have tried that too- applying the policy-map globally.

However, I should mention that this lab was run on GNS3. I have tried it on two different computers with same config and I have to say that I have reached a breakthrough.

I have been able to ping between two routers through the firewall in both, routed and transparent, modes. But this is only possible if I increase the timeout value to almost 20 seconds. I have even run OSPF on and through the firewall.

My next questions would be- on a real PIX firewall, does it take too long for interesting traffic to pass through it? How do OSPF and other routing protocols manage to keep the adjacency UP if packets take too long to reach between connected devices? In my case, OSPF adjacency was flapping. But perhaps I can blame it to the CPU resources of the PC.

Regards,

Amit.

252
Views
0
Helpful
5
Replies
CreatePlease to create content