cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
828
Views
0
Helpful
4
Replies

ICMP but no other traffic with PERMIT IP ANY ANY

RussKirk
Level 1
Level 1

PIX 520 with a 4 port and 2 single port ethernet cards running 5.1(4).

Access lists from inside to outside and dial-up networks, and the return, work fine but only ICMP traffic passes onto the perimeter network.

All the configured interfaces are on the 4 port card and the perimeter network is configured to allow ip any any both on the outbound and return.

No NAT is being used.

Anyone any ideas?

cheers,

russ

4 Replies 4

scircular
Level 1
Level 1

hi russ,

how much is a car ? - as always it depends ...

please try to be a bit more specific:

what kind of traffic are you trying to get trough the pix?

what is the pix's response (syslog)?

change ip and post the config.

btw: 5.1(4) is not really up to date (even in the deferred 5.1-train)

thanks

ralf krist

Outbound traffic we know is failing is HTTP and TelNet. We can't even telnet to the 3640 the other side of the perimeter interface (via a FastHub).

Inbound traffic we know is failing is some IP mainframe printing which I think is initited on port 512.

Don't have access to the logs at the moment, but from memory the outbound connection gets setup, then gets rest and the return inbound then isn't allowed due to there being no matching outbound connection.

We are not seeing syslog's saying denied due to access-list xyz.

cheers,

Russ

Edit config here:

Note, I know the way 10.128.3.0 has been subnetted is messy and not idel but is temporary waiting for another change. Remember that we can ping & trace route and so I don't think this is the cause (?).

nameif ethernet0 external_services security0

nameif ethernet1 inside security100

nameif ethernet2 uk_wan security20

nameif ethernet3 dial_services security50

nameif ethernet4 eth4 security40

nameif ethernet5 eth5 security10

hostname NFW10

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit

.... 44 rules here, all permits no denys ....

access-list inbound permit

access-list no-nat permit ip any any

access-list outbound permit icmp any any

..... 205 rules, all permits, no denys, including....

access-list outbound permit ip 10.128.16.0 255.255.248.0 any

access-list outbound permit ip 10.128.14.0 255.255.254.0 any

access-list outbound permit tcp host 10.128.9.nn1 any eq 17

access-list outbound permit tcp host 10.128.9.nn2 any eq 17

access-list outbound permit udp host 10.128.9.nn1 any eq dnsix

access-list outbound permit udp host 10.128.9.nn2 any eq dnsix

access-list outbound permit udp host 10.128.9.nn1 any eq 17

access-list outbound permit udp host 10.128.9.nn2 any eq 17

access-list dialup permit

.... 15 rules here, all permits, no denys....

access-list dialup permit

access-list ukwan permit ip any 10.128.16.0 255.255.248.0

access-list ukwan permit ip any 10.128.14.0 255.255.254.0

access-list ukwan permit ip any 10.42.0.0 255.255.0.0

access-list ukwan permit ip any 10.10.115.0 255.255.255.0

access-list ukwan permit ip any 10.128.9.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging standby

no logging console

no logging monitor

logging buffered debugging

logging trap informational

logging history informational

logging facility 23

logging queue 512

logging host inside 10.128.9.220

logging host inside 10.128.14.237

interface ethernet0 100basetx

interface ethernet1 100full

interface ethernet2 10baset

interface ethernet3 10baset

interface ethernet4 10baset

interface ethernet5 100basetx

mtu external_services 1500

mtu inside 1500

mtu uk_wan 1500

mtu dial_services 1500

mtu eth4 1500

mtu eth5 1500

ip address external_services 10.128.2.254 255.255.255.0

ip address inside 10.128.9.248 255.255.255.0

ip address uk_wan 10.128.3.206 255.255.255.248

ip address dial_services 10.128.3.254 255.255.255.0

ip address eth4 127.0.0.4 255.255.255.255

ip address eth5 127.0.0.1 255.255.255.255

no failover

failover timeout 0:00:00

failover ip address external_services 10.128.2.253

failover ip address inside 10.128.9.247

failover ip address uk_wan 10.128.3.205

failover ip address dial_services 10.128.3.205

failover ip address eth4 0.0.0.0

failover ip address eth5 0.0.0.0

arp timeout 14400

nat (external_services) 0 access-list no-nat

nat (inside) 0 access-list no-nat

nat (uk_wan) 0 access-list no-nat

nat (dial_services) 0 access-list no-nat

access-group inbound in interface external_services

access-group outbound in interface inside

access-group ukwan in interface uk_wan

access-group dialup in interface dial_services

route uk_wan 0.0.0.0 0.0.0.0 10.128.3.201 1

route inside 10.10.115.0 255.255.255.0 10.128.9.254 1

route inside 10.128.14.0 255.255.254.0 10.128.9.254 1

route inside 10.128.16.0 255.255.248.0 10.128.9.254 1

route external_services

.... 10 of these ....

route external_services

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

floodguard enable

isakmp identity hostname

telnet timeout 60

terminal width 132

RussKirk
Level 1
Level 1

Problem fixed.

Turns out the perimeter network was returning traffic via a router at the DR site, hence the connections being reset on the PIX.

Managed services providers huh!

cheers

russ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: