Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
2
Replies

Allowing ICMP and Telnet through a PIX 525

Go to solution
markneil
Level 1
Level 1

‎08-19-2003 11:23 AM - edited ‎02-20-2020 10:56 PM

We are attempting to build a new distribution block for our WAN backbone. We are having a problem in establishing ICMP and Telnet through the PIX. The following is known:

1. Ping and telnet from the 6509 and internal network works fine to the PIX.

2. Ping from the 7206 to the PIX works fine.

3. Debug ICMP trace show normal activity for ICMP connections to the PIX from the 6509 and internal network; however, the debug shows nothing - no activity - during attempts to ping to a.b.5.18. (shown below).

In short, all the connections seem to be fine between the three devices, however, we can't get ICMP and Telnet to work correctly through the PIX.

The layout is:

6509(MSFC) ------- PIX 525 ----------7206

IP:a.b.5.1 ---a.b.5.2 a.b.5.17 --- a.b.5.18

255.255.255.0 255.255.255.240 255.255.255.240

(both)

networks: a.b.5.0 a.b.5.16

255.255.255.240 255.255.255.240

6509:

interface VlanX

description newwan-bb

ip address a.b.5.1 255.255.255.0

no ip redirects

router ospf <pid>

log-adjacency-changes

redistribute static metric 50 metric-type 1 subnets

passive-interface default

no passive-interface Vlan9

((other networks omitted))

network a.b.5.0 0.0.0.255 area 0

default-information originate

PIX 525:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 failover security10

hostname XXXXXX

domain-name XXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 102 permit ip any any

access-list 102 permit icmp any any

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any source-quench

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any time-exceeded

access-list 103 permit ip any any

access-list 103 permit icmp any any

access-list 103 permit icmp any any echo

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any source-quench

access-list 103 permit icmp any any unreachable

access-list 103 permit icmp any any time-exceeded

pager lines 24

logging on

logging timestamp

logging buffered notifications

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

mtu outside 1500

mtu inside 1500

mtu failover 1500

ip address outside a.b.5.17 255.255.255.240

ip address inside a.b.5.2 255.255.255.240

ip address failover 192.168.230.1 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 103 in interface outside

route outside 0.0.0.0 0.0.0.0 a.b.5.18 1

route inside a.0.0.0 255.0.0.0 a.b.5.1 1

route inside a.b.0.0 255.240.0.0 a.b.5.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet a.0.0.0 255.0.0.0 outside

telnet a.0.0.0 255.0.0.0 inside

telnet a.b.0.0 255.240.0.0 inside

telnet a.b.5.18 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Appreciate any help in proper routing through a PIX 525, given that all this is for an internal network.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mostiguy
Level 6
Level 6

‎08-19-2003 11:55 AM

on the 6509, why does the int have a /24 subnet mask, when everything else has a /28? If you try pinging .18 from the 6500, it will think that it is on a local network, and that it does not need to route through the pix

Your access lists are confusing.

access-list ## permit ip any any should let everything through, and therefore everything that follows are redundant statements.

for testing purposes,

access-list alloweverything permit ip any any

access-group alloweverything in interface outside

should make the pix act just like a router - in that you are effectively disabling all firewall functionality.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mostiguy
Level 6
Level 6

‎08-19-2003 11:55 AM

on the 6509, why does the int have a /24 subnet mask, when everything else has a /28? If you try pinging .18 from the 6500, it will think that it is on a local network, and that it does not need to route through the pix

Your access lists are confusing.

access-list ## permit ip any any should let everything through, and therefore everything that follows are redundant statements.

for testing purposes,

access-list alloweverything permit ip any any

access-group alloweverything in interface outside

should make the pix act just like a router - in that you are effectively disabling all firewall functionality.

0 Helpful

Go to solution
markneil
Level 1
Level 1
In response to mostiguy

‎08-20-2003 09:13 AM

Bingo.

Thanks for the help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card