allowing icmp & internal server to see its external IP on pix 501

acceleratebiz · ‎02-15-2006

Hi, we have a pix 501 firewall for a customer. We've used these with other customers with very little trouble. But this customer needs to be able to access his external IP from within his server because they hardcoded the external IP in their application. And the internal server cannot access their external IP even when we allow ALL IP traffic from inside to outside and outside to inside.

Possibly having something to do with this is the fact that we can never ping the external IP. Even though we allow ICMP traffic.

Any ideas? We're configuring this through the PDM. Using the latest version of PIX 6.3(5) and PDM 3.0(4) available for the 501. Tried to SSH in to examine the running-config, not that I know what I'm doing there, but it asks me for a user/pass and a blank username with the enable password does not work. I guess I can do this from the PDM.

chetankamra · ‎02-15-2006

By default all the traffic from inside to outside is permit and from outside to inside deny.

Is the IP you are pinging is behind the firewall if yes does it has ICMP reply open on his firewall.

Below is the e.g. for permiting internal server access to public ip on port www

access-list 100 permit tcp INTERNAL IP host PUBLIC IP eq www

CK-NET

scheikhnajib · ‎02-16-2006

Hi,

Two things:

1. You will need to enable SSH authentication to be able to use it. You will need to set the AAA authentication for SSH and select the "Local" database, then you need to create a username and a passowrd to be used for this authentication. A blank username along with the enable password will not work for SSH although it works for HTTP sessions.

2. I don't believe you can do the thing that you are after. What I got from you is that you have a srver with a private IP address, NATed through the PIX to a public IP address and you want to ping the public IP from the server itself??!! If that's right, I think (90%) that you cannot do that, since a NAT entry works between two interfaces (inside and outside for instance) and you want to send a request and receive a reply using the same interface (which is the inside interface) which will not work. I don't know if there is any trick around this, but using my experience it will not work.

I think the only solution is to assign the public IP to the server NIC if you are 100% sure that this scenario does not support NAT.

Thanks.

Salem.

acceleratebiz · ‎02-16-2006

chetankamra, yes ICMP is allowed through to his server from his firewall. In fact, to avoid any accesslist issues I've completely opened up ALL IP traffic including ICMP.

Salem, excellent suggestion, we're trying that now. Assigning the public IP the the server NIC. That definitely seems to be the best way, shouldn't affect anything else. And the beauty of this is that it doesn't touch the firewall. So even if we had gotten the firewall to work such that the server can ping (really needed more than ping) the external IP, then it would have to go through the firewall for all internal networking.

Thank you for the SSH authentication help, will set that up as well. Any ideas why ICMP is not working though. Maybe a completely separate issue... was thinking it might have something to do with the server seeing its external ip. but maybe not. Basically, no external systems can ping the external IP. I've allowed ICMP through...

Thanks so much for the public IP suggestion!