Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 501 not talking to "Next Hop" router?

Hello,

My home network currently consists of a Cable Modem --> PIX 501 --> Switch --> internal hosts.  The PIX outside interface is set to DHCP, and the device is also DHCP server for my network.

I am trying to add a router between the ISP Modem and the PIX.  (The reason is so I can monitor intrusion attempts coming in from the internet, prior to reaching the firewall),  I have a 1605 router with 2 ethernet interfaces,  E0 set to DHCP client, connected to the ISP modem.  E1 is in the same subnet as my PIX Outside interface,  The PIX is still DHCP server for the LAN, but the outside interface is now set to a static address,

Now that I have this set up I am unable to get out to the internet from inside.  To test I attempted to PING the router E0 interface from an internal host.  I then ran debug ICMP at both the 1605 and the PIX.  The router receives those requests, but the response never makes it back to the PIX.

Another thing I tried is to enable RIP v2 on the router and PIX.  With this on (and with the networks defined on the 1605) I did a "Debug RIP" on both devices.   So at the router I can see RIP broadcasts being sent out from the router, and also RIP broadcasts being received from the PIX.  But from the PIX I only see broadcasts it is sending out - it's not getting anything back from the router.

Am I missing something basic here?  I will be happy to post configs if needed.

Thank you!

-BK

Everyone's tags (3)
3 ACCEPTED SOLUTIONS

Accepted Solutions

PIX 501 not talking to "Next Hop" router?

Hello Barry,

Well, the ARP table I think stays on the PIX for 5 hours so it should not be there anymore.

Now, I would recommend to add the fixup protocol and make sure the ACL NoNAT is properly configured.

Afterwards the inside users should be able to ping 4.2.2.2

The internet router will never ping the PIX inside interface address as by default you cannot contact a far end interface (that's just by design).

last but not least appreacite the fast and helpful answers by rating them

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Re:PIX 501 not talking to "Next Hop" router?

Do the following:

Access-list capin permit icmp host x.x.x.x host 4.2.2.2
Access-list capin permit icmp host 4.2.2.2 host x.x.x.x
Where x.x.x.x is the internal pc u are using to test the connection.

Access-list capout icmp host y.y.y.y host 4.2.2.2

Access-list capout pemitt icmp host 4.2.2.2 host y.y.y.y

Where y.y.y.y is the IP address the internal PC uses on the outside.

Then

Capture capin interface inside access-list capin

Capture capout interface outside access-list capout.

Then from x.x.x.x ping 4.2.2.2 once and provide:
Show cap capin
Show cap capout

Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

PIX 501 not talking to "Next Hop" router?

Hello Barry,

Could be an ARP issue.

The ASA is showing the traffic leaving it's outside interface that lets me know it's not an ASA Issue bud.

Share the following

show ip

show interface ip brief

Do you have access to the ISP modem? IF yes get in and check the ARP table and look for the ASA IP address.

You should find it. Then look at the mac address and make sure it belongs to the outside interface of the ASA

Show interface ethernet 0

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
23 REPLIES

PIX 501 not talking to "Next Hop" router?

Hello,

So PIX 501.. Well let's see what we can do.

So do you have any NAT on the PIX??? If yes please provide it?

if you do a show arp from the PIX do you see an arp entry for the Router IP address?

What happens if you run that ARP show command on the router??

Can you ping from the Pix to the router and from the router to the pix?

Can you add

fixup protocol icmp 

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Wow that was a fast response!!  Ok here's what I can tell you at the moment:

Concerning NAT:  I am using NAT, with Port Address Translation.  Here are the relevant entries:

(Wow I can't paste in - bummer!!)

global (outside) 1 interface

nat (inside) 0 access-list NoNAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 99 192.168.1.99 99 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1701 192.168.1.202 www netmask 255,255,255,255 0 0

static (inside,outside) tcp interface ftp-data 192.168.1.202 ssh netmask 255.255.255.255 0 0

Concerning your show arp suggestion - I don't see it in the ARP table right now.  But not sure if that tells us anything, since I had to disconnect the router and reconnect the PIX to the cable modem last night (so my wife will have internet service!)!  I will recable it inline tonight and check when I get home.

Will do the same at the router tonight - it's not currently online.

Yes with everything worker I was able to successfully ping from the router to the PIX Outside interface...not to the INside interface though.  And I was also able to ping from the PIX Outside interface to the router.

I don't currently have "fixup protocol icmp", but I do have "icmp permit any outside" and "icmp permit any inside".  Doesn't this accomplish the same thing?

Anyhow I will try your suggestions this evening, and let you know.

Thanks!

-BK

PIX 501 not talking to "Next Hop" router?

Hello Barry,

Well, the ARP table I think stays on the PIX for 5 hours so it should not be there anymore.

Now, I would recommend to add the fixup protocol and make sure the ACL NoNAT is properly configured.

Afterwards the inside users should be able to ping 4.2.2.2

The internet router will never ping the PIX inside interface address as by default you cannot contact a far end interface (that's just by design).

last but not least appreacite the fast and helpful answers by rating them

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Julio,

I will be sure to rate your assistance!  I'm curious though - you said inside users should be able to ping 4.2.2.2???  Where does that IP address come from?

Thanks again!

PIX 501 not talking to "Next Hop" router?

Hello Barry,

That's just an outside IP address that belongs to a public DNS that we as networking guys always use to test connectivity to the internet

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Julio,

Unfortunately I was not able to get to this project yesterday evening.  I will definitely be hitting it when I get home though.  In the meantime I wanted to ask you a followup question.

You said earlier that I need to make sure the NoNAT ACL is properly configured.  But in reality I don't think that ACL is even used.  I created it a while back when I was playing with site-to-site VPNs.  Haven't used it since then. 

Here are the lines concerning the NoNAT ACL:

access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list NoNAT

*NOTE* the internal network is 192.168.1.0, and the outside network (to the PIX) is 192.168.0.0; is this my problem?

I was going to try to attach my full config, but I don't see a link allowing that.  (And I don't really want to type line for line; the editor doesn't allow me to copy/paste).  Let me know what you think.  Otherwise will be trying out your suggestions tonight.

Thanks again!

New Member

PIX 501 not talking to "Next Hop" router?

Ok found a workaround for attaching the config...attached as a jpg!    Also Julio I did try adding the fixup protocol icmp command you suggested.  It tells me "Usage: [no] fixup protocol icmp error".  So I think it already has icmp implied since I have icmp explicitly permitted both inside and outside interfaces.

ps. Don't worry that's not a real IP address showing in the isakmp section of the attached configuration.

Re:PIX 501 not talking to "Next Hop" router?

Do the following:

Access-list capin permit icmp host x.x.x.x host 4.2.2.2
Access-list capin permit icmp host 4.2.2.2 host x.x.x.x
Where x.x.x.x is the internal pc u are using to test the connection.

Access-list capout icmp host y.y.y.y host 4.2.2.2

Access-list capout pemitt icmp host 4.2.2.2 host y.y.y.y

Where y.y.y.y is the IP address the internal PC uses on the outside.

Then

Capture capin interface inside access-list capin

Capture capout interface outside access-list capout.

Then from x.x.x.x ping 4.2.2.2 once and provide:
Show cap capin
Show cap capout

Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Hi!

Thank you this gives me something else to try tomorrow.  only question I  have;  my internal hosts don't have an external ip  address since I  am using port address  translation.   What would I  use for y.y.y.y  the isp  address?   would I  specify a  specific purr?   sorry that part has me stumped.  otherwise will try your suggestions tomorrow.

Thank you!

bk

PIX 501 not talking to "Next Hop" router?

since I  am using port address  translation.

Used the PAT address then bud . No need for the port

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Hi Julio,

Please pardon my ignorance.  But we're getting into an area that I don't understand all that well (which is probably why I haven't been able to get this working yet!)

In my current setup I have several externally accessible internal hosts.  For each one I have an access-list entry in the PIX specifying a port.  Then I have a mapping entry that ties the port to the internal client.

For your suggestions "access-list capout icmp host y.y.y.y host 4.2.2.2" and "access-list capout permit icmp host 4.2.2.2 host y.y.y.y"  you said y.y.y.y is the IP address the internal host uses outside.  I asked you if I should use the ISP address; I should have asked if I should use the ISP provided address (which I'm currently PAT'ing out).  So according to your last response I should just use that address for y.y.y.y right?

Sorry for all the questions - just want to make sure I understand so I can follow your advice!!

-Bk

PIX 501 not talking to "Next Hop" router?

Hello,

Yes, however the internal PC look on the outside. Use that IP.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Ok will try this tonight and let you know how it works out (and hopefully won't be begging for more help)  Thank you!

PIX 501 not talking to "Next Hop" router?

nah no problem.

We are here to help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Hello!

Well tonight's testing (following your recommendation) resulted in the following.  Please let me know what that tells you - I'm hoping to learn along the way!

PIX2# show cap capin

4 packets captured

17:13:22.361141 192.168.1.14 > 4.2.2.2: icmp: echo request

17:13:26.972956 192.168.1.14 > 4.2.2.2: icmp: echo request

17:13:31.973948 192.168.1.14 > 4.2.2.2: icmp: echo request

17:13:36.973933 192.168.1.14 > 4.2.2.2: icmp: echo request

4 packets shown

PIX2# show cap capout

4 packets captured

17:13:22.361553 192.168.0.2 > 4.2.2.2: icmp: echo request

17:13:26.973201 192.168.0.2 > 4.2.2.2: icmp: echo request

17:13:31.974208 192.168.0.2 > 4.2.2.2: icmp: echo request

17:13:36.974192 192.168.0.2 > 4.2.2.2: icmp: echo request

4 packets shown

PIX 501 not talking to "Next Hop" router?

Hello Barry,

Great job with the captures.

That basically let us know that we are receiving the traffic from the work-station, the traffic is then allowed by the FW and send out the outside interface BUT there is no reply.

So basically a problem with the ISP. Call them and explain to them you see traffic going out to their link but there is no reply.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Hi Julio,

Thank you so much for taking the time to assist me with this issue.  I'm not sure it's an ISP issue though (at least I hope not!)  Please consider:

- When I first attempted to implement this change, I didn't even think to install a router between the cable modem, and switch.  I figured I would simply install a switch (or hub) between the cable modem and firewall, and that I would be able to plug my IDS into that switch (or hub),  But it wouldn't work.  The PIX couldn't pull an IP.  I found out the problem was that the ISP was seeing the switch as the primary device, and grabbing it's MAC address.  The PIX was ignored, and therefore never able to connect.  I called the ISP and they confirmed this is how they control how many devices are connected,  And since I only want to pay for 1 IP address from them, that's how it is.

- Then I decided to try the router approach.  And it seems to work.  The 1st router interface is getting the IP address from the ISP.  I have communications between the pix and router, and also between the router and internal hosts.  I don't think the ISP cares what's on the other side of the router (do they?)

- Each time I go home to try your recommendations I unplug the PIX from the cable modem, and connect the router inline.  That's when I lose internet connectivity.  But once I revert back to that configuration, it works again.  So the internet connection works fine.  It's only when I add the router to the mix that I lose it.

Please let me know if you think there's anything else I can try here.  I can't help thinking it is my configuration and not an ISP issue - hoping you are able to find something else I may have done incorrectly.

Thank you!

-Bk

New Member

PIX 501 not talking to "Next Hop" router?

Hi again Julio,

I finally proved that the ISP isn't the issue.  What I did was remove the PIX from the equation, and went straight from the router to a hub, and plugged a client into the hub.  I configured a basic NAT config, set up a default route at the router to the ISP default gateway (THAT IP wasn't easy to find!), and was able to get out to the 'net from that client.

Now I need to bring the PIX back into the picture.  Would you mind helping me out?  I'm a little unclear if NAT'ing should be done at the router, at the PIX, or both.  I do need to be able to access internal clients from outside, so it seems to me that it would be better to leave the rules in place on the firewall.  But of course the addresses will need to be changed. 


PLEASE help me figure out where to go next!!!

Thanks again,

BK

PIX 501 not talking to "Next Hop" router?

Hello Barry,

Could be an ARP issue.

The ASA is showing the traffic leaving it's outside interface that lets me know it's not an ASA Issue bud.

Share the following

show ip

show interface ip brief

Do you have access to the ISP modem? IF yes get in and check the ARP table and look for the ASA IP address.

You should find it. Then look at the mac address and make sure it belongs to the outside interface of the ASA

Show interface ethernet 0

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Julio,

Finally found my problem.  I was NATing at the firewall, but not at 1600 router (which is directly connected to the ISP).  Once I turned it on at the 1600 BINGO I'm getting out!  I was about to mark this issue as "Solved" but I do have a followup issue.  (Please let me know if I need to open another incident)..

I am no longer able to reach my inside hosts from outside.  Is that because, since I'm NATing at the router instead of the PIX, the Port Overload definitions also need to take place at the router now?  I'm starting to play with that now...please let me know if I'm on the right track (and if you can help me to get it working).

Thanks again!

PIX 501 not talking to "Next Hop" router?

Hello,

So as I said the issue was not on the FW!

Yeah, u will need to work on that side first, then move to the outside interface of the FW and make sure you allow the traffic there.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

PIX 501 not talking to "Next Hop" router?

Hi again Julio,

I've rated several of your posts as you have requested.  I'm going to submit a new topic shortly, since it's a different issue than the one I originally posted.  I hope you're available to help me with this one as well.  Thanks again for your assistance!

-BK

PIX 501 not talking to "Next Hop" router?

Hello,

It will be a pleasure to help you Barry Just keep me post bud

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
585
Views
0
Helpful
23
Replies
CreatePlease to create content