Re: PIX to 2811

mrblister · ‎02-24-2007

I have PIX 515 that I am trying to get to point out to the internet through a 2811.

I can get to the internet through the 2811 if I connect directly to the router, however through the PIX I'm running into some problems.

Router Details:

Internal IP:

192.168.254.2 255.255.255.0

X.X.3.252 255.255.255.240 secondary

External IP:

X.X.1.30 255.255.255.252

Firewall:

Internal IP:

192.168.254.3 255.255.255.0

External IP:

X.X.3.238 255.255.255.240

Now, I can ping the internal interface of the router from the external interface of the PIX, but I cannot get to the external interface of the router from anywhere in the PIX.

I'm pretty sure it has to be a routing issue on the PIX... but I could be very, very wrong. Any help would be greatly appreciated!

Jon Marshall · ‎02-24-2007

Hi

Could be a number of things. When you say "from anywhere in the pix" do you mean from DMZ's / internal networks ?.

If so things to check

1) Routing as you mentioned. Generally speaking you would want a default route on the pix pointing to the 2811.

2) Nat on the pix. Are you doing it or not.

3) access-lists on the pix. If you are pinging from inside the pix to the router you will need an access-list on the outside interface of your pix allowing the ping back in as icmp is not stateful.

Could you explain where you are trying to ping from and send a sanitised copy of the pix config.

HTH

Jon

mrblister · ‎02-26-2007

I had no access-list on the pix to allow ICMP back in. Thanks for the heads up.

Now I have a seperate problem:

I cannot telnet into my routers internal interface from behind the firewall. Any thoughts on what might be causing this?

Jon Marshall · ‎02-26-2007

Hi

Have you allowed telnet from the host you are trying to get to ? eg assuming you are connecting from 192.168.5.2 on the pix in config mode

telnet 192.168.5.2 255.255.255.255 inside

HTH

Jon

mrblister · ‎02-26-2007

I have a default rule that allows all inside traffic out, this includes telnet. I can telnet into smtp servers, etc. outside the router.

I just cant telnet into the inside interface of my router.

That interface has two IP's:

a private address: 192.168.254.2

a public address: X.X.3.225 (secondary)

Now here's the strange thing, I cant telnet to the 192.168 address, nor can I ping it. However, I can ping the .3.225 secondary address. Strange, they are both on the same interface, shouldnt I be able to hit both of them?

Jon Marshall · ‎02-26-2007

Hi

Sorry my mistake, i mis read and thought you were talking about telnet to the pix.

Right. Does your router have a route back to the host you are pinging from ?

Can you ping both router addresses on the internal interface from your pix.

What you could do is do a bit of debugging on the pix ie

debug packet outside dst 192.168.254.2

debug packet outside src 192.168.254.2

If you then telnet you should be able to see the packets going back and forth.

(Be careful with the debug. If there is a lot of traffic going through your pix best to do it in a quiet period).

Jon

mrblister · ‎02-27-2007

First off, thanks for the help Jon, much appreciated.

Second off, I cannot ping the private 192 address, however I can ping the public X.X.3.225 address.

I'll give debugging a shot and see if I cant get some more info.

Thanks again.