Solved: Re: inside host not pinging outside host in transparent mode

sebastan_bach · ‎12-29-2005

hi all i need urgent help on this pls. i have host on ip add 1.1.1.2/24 connected to inside interface of the pix with ios 7.0 in transparent mode . and the outside interface of the pix connected to a router with ip 1.1.1.1/24.i have enabled icmp inspection.i can see the arp entry of the router in the host and the arp entry of the host in the router.both the mac address are learned by the pix properly. by no traffic flows form the host to the router. there is no access-list on the pix.the pix doesn't create a arp entry in the pix very stange. i tried to manuaaly add the entry :

arp inside 1.1.1.2 0011.d80d.f6ac it gives an error network address <1.1.1.2> not allowed . i am not getting it .my main question is why the pix is not creating the arp entry . what could be the problem . could anyone pls help me with this pls. thank u .

sebastan

prasadrp · ‎01-02-2006

No. Its not as you mentioned. I am going to explain the whole communication in detail. Hope this helps.

Assumptions :

Pix configured for L2, with outside as 0 and inside as 100. insidehost on inside network and outsidehost on outside network configured.

1st Scenario

==========

If pix is not configured with IP Address, all IP packets are dropped and syslog Id 322004: No management IP address configured for transparent

firewall will be logged. So lets see how the communication works on L2

outsidehost tries to communicate with insidehost. Arp request is sourced from outsidehost and sent across as broadcast and it is received by PIX and sent to the inside network, without any change.

InsideHost replies back and the response is sent across to outsidehost. When you see the arp entries on the outsidehost and insidehost you will the corresponding arp entries.

Pix will forward arp request/response.

You can give the command "show local-host" and you will see no entries created on the box.

2nd Scenario

==========

An ip address is configured on pix and insidehost starts communication with the outsidehost. The communication is from high to low and will be allowed by pix.

No change in ARP behavior. Exactly like mentioned in 1st scenario.

Since IP Address is provided to the box, local-host entry is created and connection formed for traffic from insidehost to outsidehost.

Connection from outsidehost to insidehost is denied since there is no access-list to permit the traffic from low to high.

You can give the command "show local-host" and you will see the entry for insidehost, outsidehost.

3rd Scenario

=============

An ip address is configured, access-list created to permit the traffic from outsidehost to insidehost and access-list applied to outside interface.

No change in ARP behavior. Exactly like mentioned in 1st scenario.

Since IP Address is provided to the box, local-host entry is created and connection formed for traffic from outsidehost to insidehost.

Since access-list is present to permit the traffic, the connection is permitted and entry is created on the box.

Hope the above clears the whole L2 communication and the communication from different security levels.

Hope this helps.

View solution in original post

naveed-khan · ‎12-30-2005

Your scenario is not clear.

Can you give me your running configuration of pix?

After that I will test your scenario in my lab.

prasadrp · ‎12-30-2005

Hi Sebastan

Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance. The transparent firewall, however, can allow any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).The only traffic allowed through the transparent firewall without an access list is ARP traffic. You need to apply the access-list on both the interfaces.

naveed-khan · ‎12-31-2005

Great Answer Prasadrp

:-)

sebastan_bach · ‎12-31-2005

hi prasad thank u for ur advice. as u say without any access-list only arp traffic is allowed. then why the pix doesn't create arp enteries in the pix firewall. when i try to put a static arp entry in the pix also it gives an error network ip address not allowed why.cause as for as my knowledge the pix in bridge mode checks for the local ip local mac and incoming interface and and foreign ip foreign mac and outgoing interface. and creates the inspection table. no where in the book it was mentioned that access-list has to be applied to both the incoming and the outgoing interface.especially when the traffic flows from higher to lower interface it doens't require any access-list.i need to try what u said and check but just clarify my doubts pls. thank u once again prasad . waiting for ur reply.

sebastan

prasadrp · ‎12-31-2005

Hi Sebastan

If you have done inspection on icmp then the traffic should go through. No access-list necessary

The error which you are getting when you try to put in static arp entry is due to non-availbility of IP Address assigned to the box. Give an ip address to the box and then it should be ok.

ip address a.d.c.b subnet-mask

This address is required because the security

appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers.

Once you put in the IP Address then you should be able to add static arp entry.

sebastan_bach · ‎01-01-2006

hi prasad thanks for ur instant and detailed explanation thank u .prasad i have enabled icmp inspection on the box.then it whould work without any access-list right .yeah but it doesn't . and without giving the ip address to the pix . it should still build the arp table right. in the show arp it shows me nothing.why it doesn't build the arp table.just one morething even in this bridge mode the packet flow are inspected from higher to lower i am sure abt this.since this mode doesn't mode support any modes of nat will the traffic be allowed if initiated from the outside to the inside ???. waiting for ur reply . my personal email address is sebastan_bach@yahoo.com. we can talk on yahoo chat also.Wish u a Happy New Year .

sebastan

prasadrp · ‎01-01-2006

Hi Sebastan

Let me explain the arp behavior in transparent mode :

For the security appliance to build arp entries, it should have an ip address. So in your case, if you have given IP Address to the pix and enabled icmp inspection, then this scenario should work. Arp requests are sourced from the pix ip and then added to the pix. So if you dont give Pix IP, no arp entries are added.

prasadrp · ‎01-01-2006

Hi Sebastan

Regarding the 2nd query whether the traffic will be allowed if intiated from outside (low) to inside (high), No. It won't be allowed by default.

You need to place an access-list on the outside interface which permits traffic.

for example :

if the outside host is 172.16.10.150 and inside host is 172.16.10.11 and if you want telnet traffic to come from outside to inside, then you need to put an access-list as follows on the outside interface :

access-list 101 permit tcp host 172.16.10.150 host 172.16.10.11 eq telnet

access-group 101 in interface outside

Then traffic will be allowed.

sebastan_bach · ‎01-01-2006

hi prasad. thanks once again . u mean to say when the pix is doing arp to find a host on a particular interface it needs ip address assgined to it .pls tell me arp is a layer-2 protocol why the pix needs to use it's own ip address in the process. i am just trying to figure out the exact process as i have understood from ur reply.i mean say in our scenario when 1.1.1.1 tries to ping 1.1.1.2 first 1.1.1.1 does a arp request for 1.1.1.2.the arp frame along with the embedded packet reaches the inside interface of the pix .the pix learns the mac , ip address .then the does pix do broadcast to find the mac address of the 1.1.1.2. and when doing that it uses it ip address as the source and it's mac address and the source mac .and it gets reply from the outside host 1.1.1.2. and builds it's own arp entry .then it passess that mac address info of the outside to the inside host . so they can communicate directly with the pix as a bridge in between.plus the pix is doing inspection also as the packets flow from inside to outside.is this how it works i am not sure of it other thing is what i think is since the pix is like a bridge in between it should just pass on the broadcast from the inside to outside since now the inside and outside are not layer3 ports .my question is my the pix cratessa new packet inserting it's ip address as the source address .kindly let me know .i am waiting for ur reply. and thank u once again for ur detailed explanation.bye

sebastan

prasadrp · ‎01-02-2006

No. Its not as you mentioned. I am going to explain the whole communication in detail. Hope this helps.

Assumptions :

Pix configured for L2, with outside as 0 and inside as 100. insidehost on inside network and outsidehost on outside network configured.

1st Scenario

==========

If pix is not configured with IP Address, all IP packets are dropped and syslog Id 322004: No management IP address configured for transparent

firewall will be logged. So lets see how the communication works on L2

outsidehost tries to communicate with insidehost. Arp request is sourced from outsidehost and sent across as broadcast and it is received by PIX and sent to the inside network, without any change.

InsideHost replies back and the response is sent across to outsidehost. When you see the arp entries on the outsidehost and insidehost you will the corresponding arp entries.

Pix will forward arp request/response.

You can give the command "show local-host" and you will see no entries created on the box.

2nd Scenario

==========

An ip address is configured on pix and insidehost starts communication with the outsidehost. The communication is from high to low and will be allowed by pix.

No change in ARP behavior. Exactly like mentioned in 1st scenario.

Since IP Address is provided to the box, local-host entry is created and connection formed for traffic from insidehost to outsidehost.

Connection from outsidehost to insidehost is denied since there is no access-list to permit the traffic from low to high.

You can give the command "show local-host" and you will see the entry for insidehost, outsidehost.

3rd Scenario

=============

An ip address is configured, access-list created to permit the traffic from outsidehost to insidehost and access-list applied to outside interface.

No change in ARP behavior. Exactly like mentioned in 1st scenario.

Since IP Address is provided to the box, local-host entry is created and connection formed for traffic from outsidehost to insidehost.

Since access-list is present to permit the traffic, the connection is permitted and entry is created on the box.

Hope the above clears the whole L2 communication and the communication from different security levels.

Hope this helps.

sebastan_bach · ‎01-02-2006

hi prasad thanks for ur detailed explanation really appreciable .it really worked prasad thanks a lot . i just want to know one more thing . that why the pix doesn't forward any packet without having the without having a ip assigned to it . what role does does the ip address play in the arp process. cause in ur previous post u mentioned that pix replaces the source ip of the inside host with it's own ip address. from ur post

Arp requests are sourced from the pix ip and then added to the pix. So if you dont give Pix IP, no arp entries are added.

just tell me when a host does a arp broadcast does it create a seperate arp query frame which doesn;t contain any layer information or the the arp frame contains the layer-3 information also. pls help me on this and thanks once again no cisco press books mention the above explanation that u did . waiting for ur reply.

sebastan

prasadrp · ‎01-02-2006

Hi Sebastan

If the destination MAC address is in the pix table, the pix forwards the packet out of the

outside interface. If the destination MAC address is not in the pix table, pix attempts to discover the MAC address by sending an ARP request and a ping. So arp entries are formed on PIX.

sebastan_bach · ‎01-03-2006

hi prasad u mean u to say that when the pix tries to discover the mac address of the destination it sends it's own ip address as the source ip and it's own mac address as the source mac .or just sends the actual source ip and soucre mac in the arp request . thank u once again .

sebastan