Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing on PIX 506E ver.6.3

Hi everybody

Here below is a description of the issue I have.

My network:

outside network 10.80.188.0------>10.80.188.1(outside PIX interface)---------(inside PIX interface)172.21.7.1<-------172.21.7.0 inside network

I put the following config:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

ip address outside 10.80.188.1 255.255.255.0
ip address inside 172.21.7.1 255.255.255.0

access-list FromInside permit ip any any
access-list FromOutside permit ip any any

access-group FromOutside in interface outside
access-group FromInside in interface inside

for testing purpose I have one device on 10.80.188.0 network (device IP 10.80.188.10) and one device on network 172.21.7.0 (device IP 172.21.7.10)

With the above mentionned config I can ping from device 172.21.7.10 to device 10.80.188.10

but I can't ping from 10.80.188.10 to 172.21.7.10 (no firewalls enabled on either PC)

On ASA55XX with ver 8.3 I can achieve this quite easy with two simple commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

but how to do it on PIX 506E with ver.6.3  ??

Do I need another static statement?

I tried to add: static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0

but it doesn't work

Any help appreciated.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Routing on PIX 506E ver.6.3

And btw, since you mention same-security-traffic, are you having the same security level for both inside and outside interface?

If you are, that is not supported in PIX version 6.3. Please change the security level so outside is having lower security level than inside.

Cisco Employee

Re: Routing on PIX 506E ver.6.3

OK, seems that the firewall is sending the ICMP ECHO Request outbound towards 172.21.7.10, however, that host is not responding as we can not see ICMP ECHO Reply on the inside interface.

Are you sure no personal firewall or some sort of anti virus is not enabled on that host? Can you try a different PC, or swap the 10.80.188.10 with the 172.21.7.10 PC, swap the IP Addresses around, and see if you can ping in that direction (from outside to inside).

BTW, you don't need any other static NAT statement. Only the following is required:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

and please "clear xlate" whenever you add or remove NAT statements.

9 REPLIES
Cisco Employee

Re: Routing on PIX 506E ver.6.3

Pls add "fixup procotol icmp error".

If you run packet capture on both inside and outside interface of the PIX firewall, what do you see?

Cisco Employee

Re: Routing on PIX 506E ver.6.3

And btw, since you mention same-security-traffic, are you having the same security level for both inside and outside interface?

If you are, that is not supported in PIX version 6.3. Please change the security level so outside is having lower security level than inside.

New Member

Re: Routing on PIX 506E ver.6.3

Nope.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

Cisco Employee

Re: Routing on PIX 506E ver.6.3

Hello,

I see you mention also same security traffic, please remember that the Pix 6.3 does not support same security traffic...

Here is the link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Try what Jennifer told you adding the icmp error command...

Cheers

Mike

Mike
New Member

Re: Routing on PIX 506E ver.6.3

I know it doesn't work on ver 6.3

I just mentionned that same security traffic works with ver. 7  and up (  I have it on version 8.3)

I added fixup protocol icmp error but it didn't help.

I know that to achieve what I want I need to use these null statics statement but I don't rememeber exactly how?

example of null static :

static (inside,outside) 10.80.188.0 10.80.188.0 netmask 255.255.255.0

New Member

Re: Routing on PIX 506E ver.6.3

I entered fixup for icmp. Didin't help

Capture on outside:

pixfirewall(config)# sh capture CAPTURE
4 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
4 packets shown

Capture on inside:

pixfirewall(config)# sh capture CAPTURE
7 packets captured
04:46:14.079372 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:19.017485 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:24.024885 10.80.188.10 > 172.21.7.10: icmp: echo request
04:46:29.016753 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:18.705331 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:23.516712 10.80.188.10 > 172.21.7.10: icmp: echo request
04:48:28.524295 10.80.188.10 > 172.21.7.10: icmp: echo request
7 packets shown

Cisco Employee

Re: Routing on PIX 506E ver.6.3

OK, seems that the firewall is sending the ICMP ECHO Request outbound towards 172.21.7.10, however, that host is not responding as we can not see ICMP ECHO Reply on the inside interface.

Are you sure no personal firewall or some sort of anti virus is not enabled on that host? Can you try a different PC, or swap the 10.80.188.10 with the 172.21.7.10 PC, swap the IP Addresses around, and see if you can ping in that direction (from outside to inside).

BTW, you don't need any other static NAT statement. Only the following is required:

static (inside,outside) 172.21.7.0 172.21.7.0 netmask 255.255.255.0

and please "clear xlate" whenever you add or remove NAT statements.

New Member

Re: Routing on PIX 506E ver.6.3

Thank you very much for your help. I was looking on the PC for Windows firewall and I disabled it. However I didn't know that my co-worker installed additionally AVG Internet Security Suite on this PC. There were no AVG icons on the desktop or in the task bar. To disable Windows Firewall I was going to the Services and right away scrolling down to the letter W for Windows firewall omitting AVG which are at the beginning of the list of services. Stupid me.

Thank you a lot again

Cisco Employee

Re: Routing on PIX 506E ver.6.3

Great news and thanks for the update.

1286
Views
0
Helpful
9
Replies
CreatePlease login to create content