10-20-2010 08:57 PM - edited 03-11-2019 11:57 AM
Hi everybody
Here below is a description of the issue I have.
My network:
outside network 10.80.188.0------>10.80.188.1(outside PIX interface)---------(inside PIX interface)172.21.7.1<-------172.21.7.0 inside network
I put the following config:
static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0
ip address outside 10.80.188.1 255.255.255.0
ip address inside 172.21.7.1 255.255.255.0
access-list FromInside permit ip any any
access-list FromOutside permit ip any any
access-group FromOutside in interface outside
access-group FromInside in interface inside
for testing purpose I have one device on 10.80.188.0 network (device IP 10.80.188.10) and one device on network 172.21.7.0 (device IP 172.21.7.10)
With the above mentionned config I can ping from device 172.21.7.10 to device 10.80.188.10
but I can't ping from 10.80.188.10 to 172.21.7.10 (no firewalls enabled on either PC)
On ASA55XX with ver 8.3 I can achieve this quite easy with two simple commands:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
but how to do it on PIX 506E with ver.6.3 ??
Do I need another static statement?
I tried to add: static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0
but it doesn't work
Any help appreciated.
Solved! Go to Solution.
10-20-2010 09:03 PM
And btw, since you mention same-security-traffic, are you having the same security level for both inside and outside interface?
If you are, that is not supported in PIX version 6.3. Please change the security level so outside is having lower security level than inside.
10-21-2010 04:27 PM
OK, seems that the firewall is sending the ICMP ECHO Request outbound towards 172.21.7.10, however, that host is not responding as we can not see ICMP ECHO Reply on the inside interface.
Are you sure no personal firewall or some sort of anti virus is not enabled on that host? Can you try a different PC, or swap the 10.80.188.10 with the 172.21.7.10 PC, swap the IP Addresses around, and see if you can ping in that direction (from outside to inside).
BTW, you don't need any other static NAT statement. Only the following is required:
static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0
and please "clear xlate" whenever you add or remove NAT statements.
10-20-2010 09:01 PM
Pls add "fixup procotol icmp error".
If you run packet capture on both inside and outside interface of the PIX firewall, what do you see?
10-20-2010 09:03 PM
And btw, since you mention same-security-traffic, are you having the same security level for both inside and outside interface?
If you are, that is not supported in PIX version 6.3. Please change the security level so outside is having lower security level than inside.
10-21-2010 06:00 AM
Nope.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
10-20-2010 09:07 PM
Hello,
I see you mention also same security traffic, please remember that the Pix 6.3 does not support same security traffic...
Here is the link
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
Try what Jennifer told you adding the icmp error command...
Cheers
Mike
10-21-2010 07:00 AM
I know it doesn't work on ver 6.3
I just mentionned that same security traffic works with ver. 7 and up ( I have it on version 8.3)
I added fixup protocol icmp error but it didn't help.
I know that to achieve what I want I need to use these null statics statement but I don't rememeber exactly how?
example of null static :
static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0
10-21-2010 05:59 AM
I entered fixup for icmp. Didin't help
Capture on outside:
pixfirewall(config)# sh capture CAPTURE
4 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
4 packets shown
Capture on inside:
pixfirewall(config)# sh capture CAPTURE
7 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:18.705331 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:23.516712 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:28.524295 10.80.188.10 > 172.21.7.10: icmp: echo request
7 packets shown
10-21-2010 04:27 PM
OK, seems that the firewall is sending the ICMP ECHO Request outbound towards 172.21.7.10, however, that host is not responding as we can not see ICMP ECHO Reply on the inside interface.
Are you sure no personal firewall or some sort of anti virus is not enabled on that host? Can you try a different PC, or swap the 10.80.188.10 with the 172.21.7.10 PC, swap the IP Addresses around, and see if you can ping in that direction (from outside to inside).
BTW, you don't need any other static NAT statement. Only the following is required:
static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0
and please "clear xlate" whenever you add or remove NAT statements.
10-21-2010 05:34 PM
Thank you very much for your help. I was looking on the PC for Windows firewall and I disabled it. However I didn't know that my co-worker installed additionally AVG Internet Security Suite on this PC. There were no AVG icons on the desktop or in the task bar. To disable Windows Firewall I was going to the Services and right away scrolling down to the letter W for Windows firewall omitting AVG which are at the beginning of the list of services. Stupid me.
Thank you a lot again
10-21-2010 06:40 PM
Great news and thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide