Solved: Re: Routing on PIX 506E ver.6.3

amarula115 · ‎10-20-2010

Hi everybody

Here below is a description of the issue I have.

My network:

outside network 10.80.188.0------>10.80.188.1(outside PIX interface)---------(inside PIX interface)172.21.7.1<-------172.21.7.0 inside network

I put the following config:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

ip address outside 10.80.188.1 255.255.255.0
ip address inside 172.21.7.1 255.255.255.0

access-list FromInside permit ip any any
access-list FromOutside permit ip any any

access-group FromOutside in interface outside
access-group FromInside in interface inside

for testing purpose I have one device on 10.80.188.0 network (device IP 10.80.188.10) and one device on network 172.21.7.0 (device IP 172.21.7.10)

With the above mentionned config I can ping from device 172.21.7.10 to device 10.80.188.10

but I can't ping from 10.80.188.10 to 172.21.7.10 (no firewalls enabled on either PC)

On ASA55XX with ver 8.3 I can achieve this quite easy with two simple commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

but how to do it on PIX 506E with ver.6.3 ??

Do I need another static statement?

I tried to add: static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0

but it doesn't work

Any help appreciated.

Jennifer Halim · ‎10-20-2010

And btw, since you mention same-security-traffic, are you having the same security level for both inside and outside interface?

If you are, that is not supported in PIX version 6.3. Please change the security level so outside is having lower security level than inside.

View solution in original post

Jennifer Halim · ‎10-21-2010

OK, seems that the firewall is sending the ICMP ECHO Request outbound towards 172.21.7.10, however, that host is not responding as we can not see ICMP ECHO Reply on the inside interface.

Are you sure no personal firewall or some sort of anti virus is not enabled on that host? Can you try a different PC, or swap the 10.80.188.10 with the 172.21.7.10 PC, swap the IP Addresses around, and see if you can ping in that direction (from outside to inside).

BTW, you don't need any other static NAT statement. Only the following is required:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

and please "clear xlate" whenever you add or remove NAT statements.

View solution in original post

Jennifer Halim · ‎10-20-2010

Pls add "fixup procotol icmp error".

If you run packet capture on both inside and outside interface of the PIX firewall, what do you see?

Jennifer Halim · ‎10-20-2010

And btw, since you mention same-security-traffic, are you having the same security level for both inside and outside interface?

If you are, that is not supported in PIX version 6.3. Please change the security level so outside is having lower security level than inside.

amarula115 · ‎10-21-2010

Nope.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

Maykol Rojas · ‎10-20-2010

Hello,

I see you mention also same security traffic, please remember that the Pix 6.3 does not support same security traffic...

Here is the link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Try what Jennifer told you adding the icmp error command...

Cheers

Mike

amarula115 · ‎10-21-2010

I know it doesn't work on ver 6.3

I just mentionned that same security traffic works with ver. 7 and up ( I have it on version 8.3)

I added fixup protocol icmp error but it didn't help.

I know that to achieve what I want I need to use these null statics statement but I don't rememeber exactly how?

example of null static :

static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0

amarula115 · ‎10-21-2010

I entered fixup for icmp. Didin't help

Capture on outside:

pixfirewall(config)# sh capture CAPTURE
4 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
4 packets shown

Capture on inside:

pixfirewall(config)# sh capture CAPTURE
7 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:18.705331 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:23.516712 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:28.524295 10.80.188.10 > 172.21.7.10: icmp: echo request
7 packets shown

Jennifer Halim · ‎10-21-2010

OK, seems that the firewall is sending the ICMP ECHO Request outbound towards 172.21.7.10, however, that host is not responding as we can not see ICMP ECHO Reply on the inside interface.

Are you sure no personal firewall or some sort of anti virus is not enabled on that host? Can you try a different PC, or swap the 10.80.188.10 with the 172.21.7.10 PC, swap the IP Addresses around, and see if you can ping in that direction (from outside to inside).

BTW, you don't need any other static NAT statement. Only the following is required:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

and please "clear xlate" whenever you add or remove NAT statements.

amarula115 · ‎10-21-2010

Thank you very much for your help. I was looking on the PC for Windows firewall and I disabled it. However I didn't know that my co-worker installed additionally AVG Internet Security Suite on this PC. There were no AVG icons on the desktop or in the task bar. To disable Windows Firewall I was going to the Services and right away scrolling down to the letter W for Windows firewall omitting AVG which are at the beginning of the list of services. Stupid me.

Thank you a lot again

Jennifer Halim · ‎10-21-2010

Great news and thanks for the update.