Re: PIX firewall issue 525

sivakumar.ks · ‎03-02-2006

Hello Guru’s,

I am siva from Melbourne.

After spending more than 3 hrs in troubleshooting the below problem, I conclude myself that I can’t fix it

I am running pix firewall 525 with software version Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 2.1(1) with full license.

I have network setup where I need to route private IP address via my firewall outside interface.

The network setup is like this

I have Internet connection terminate at my collocation. One interface connection is to service provide Public IP and other Ethernet end is my private IP were we have point to point fibre link to my office , at my office it terminate to a private IP interface and other end to my pix firewall outside interface. I am using RIP at the router end to broadcast between two routers. My internet connection is working fine no problem with that. But accessing my internal network from those private IP address is the issue. From firewall inside interface I am able to reach those IP addresses. But from private IP address I am not able to reach my inside network via firewall outside interface.

Router at Collocation

Public IP : 203.X.X.X ( service provider IP)

Private IP : 10.3.255.66 (My private IP segment)

Router at my office end:

Private IP: 10.3.255.1 (My private IP terminate from fibre router)

Pubic IP: 202.X.X.X (provided by arpnic) and terminated to Firewall outside interface which has another public Ip address provided by arpnic.

Firewall inside interface: 10.3.49.1.

From Firwall inside interface I am able to ping 10.3.255.66, but at the same time, I am not able to ping 10.3.49.1 from 10.3.255.66, which ultimately it has to come via pix outside interface.

Let me know whether it is possible. If so what I need to add in access list to allow outside in. If possible please give me sample syntax format. Since I have tried various options with outside acl.

Thanks in advance for your help.

Thanks

siva

sivakumar.ks · ‎03-06-2006

Hello,

Please help me also I have place diagram here.

Siva

jackko · ‎03-06-2006

just wondering what exactly the issue is except that ping doesn't work.

sivakumar.ks · ‎03-06-2006

Same here. I can ping from inside (10.3.49.20) to outside (10.3.255.66) but when I try to PING from 10.3.255.66 to inside 10.3.49.20 it is getting timeout from the firewall outside interface.

pgalligan · ‎03-06-2006

Does your firewall have a route to 10.3.255.0/24 ?

How are you pinging 10.3.255.66 from the firewall inside interface? ie. Are you issuing the ping command from the firewall itself, or from a device on the inside (10.3.0.0/16) network?

Can you post your firewall config?

sivakumar.ks · ‎03-06-2006

Yes I can ping from 10.3.0.0/16 to 10.3.255.66 and not from 10.3.255.66 to 10.3.0.0/16 via firewall outside interface. Sorry I can't place my config here as part of policy. Even the IP addresses are different than what I stated here. I hope you understand what I mean.

I have routing configured for pinging 10.3.255.66.

pgalligan · ‎03-06-2006

What is the nat configuration? Are the 10.3.0.0 addresses being natted to the outside interface address?

sivakumar.ks · ‎03-06-2006

No nat is configured to outside interface. But inside interface is configured to DMZ-REMOTE

Below is the NAT entry.

static (inside,dmz-remote) SMH-Internal SMH-Internal netmask 255.255.0.0 0 0

pgalligan · ‎03-06-2006

Is the interface labelled dmz-remote the same interface that is called PIX outside in your diagram? If not, you need a static (inside,outside) SMH-Internal SMH-Internal command. Can you show us the rest of the natting commands? nat, global and static.

sivakumar.ks · ‎03-07-2006

My PIX has eight interfaces. DMZ-Remote is different interface and it is not OUTSIDE interface. Also If I nat static (inside,outside) My whole network goes offline to connect to the external world.

Below is my NAT listing

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 SMH-virusscan 255.255.255.255 0 0

nat (inside) 0 SMH-pas 255.255.255.255 0 0

nat (inside) 0 SMH-mail-nic2 255.255.255.255 0 0

nat (inside) 0 SMHiba 255.255.255.255 0 0

nat (inside) 0 Carvevue_Prim 255.255.255.255 0 0

nat (inside) 0 SMHsqlr 255.255.255.255 0 0

nat (inside) 0 SMH-sqlv1 255.255.255.255 0 0

nat (inside) 0 SMHsqlv3 255.255.255.255 0 0

nat (inside) 0 SMH-mail 255.255.255.255 0 0

nat (inside) 0 SMH-sql 255.255.255.255 0 0

nat (inside) 0 SMH-filer 255.255.255.255 0 0

nat (inside) 0 SMH_paging 255.255.255.255 0 0

nat (inside) 0 pas-test 255.255.255.255 0 0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (dmz-SMH) 0 SMH-xmail 255.255.255.255 0 0

nat (dmz-SMH) 0 SMH-web02 255.255.255.255 dns 0 0

nat (dmz-SMH) 0 SMH-cis 255.255.255.255 0 0

nat (dmz-SMH) 0 SMH-cbt 255.255.255.255 0 0

nat (dmz-SMH) 0 SMH-web01 255.255.255.255 0 0

nat (dmz-SMH) 0 SMH-web00 255.255.255.255 dns 0 0

nat (dmz-SMH) 0 oncology 255.255.255.255 0 0

nat (dmz-SMH) 0 ccbedstate 255.255.255.255 0 0

nat (dmz-SMH) 0 SMH-web03 255.255.255.255 0 0

sivakumar.ks · ‎03-07-2006

few more nat

static (inside,dmz-remote) SMH-Internal SMH-Internal netmask 255.255.0.0 0 0

static (inside,dmz-remote) SVH-VLAN1-Public SVH-VLAN1-Public netmask 255.255.255.0 0 0

static (inside,dmz-remote) SVH-VLAN2-Public SVH-VLAN2-Public netmask 255.255.255.0 0 0

static (inside,dmz-remote) SVH-VLAN3-Public SVH-VLAN3-Public netmask 255.255.255.0 0 0

static (inside,dmz-remote) SVH-VLAN4-Public SVH-VLAN4-Public netmask 255.255.255.0 0 0

static (inside,dmz-remote) SVH-VLAN5-Public SVH-VLAN5-Public netmask 255.255.255.0 0 0

static (inside,dmz-remote) SVH-VLAN6-Public SVH-VLAN6-Public netmask 255.255.255.0 0 0

static (inside,dmz-remote) SVH-VLAN7-Public SVH-VLAN7-Public netmask 255.255.255.0 0 0

static (dmz-SMH,outside) switch-dmzSMH switch-dmzSMH netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-sqlv1 SMH-sqlv1 netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-sql SMH-sql netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-office1 SMH-office1 netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-sqlv2 SMH-sqlv2 netmask 255.255.255.255 0 0

static (inside,dmz-SMH) netman netman netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMHsqlv4 SMHsqlv4 netmask 255.255.255.255 0 0

static (dmz-SMH,outside) SMH-web01 SMH-web01 netmask 255.255.255.255 0 0

static (inside,dmz-vpn-internal) SMH-Internal SMH-Internal netmask 255.255.0.0 0 0

static (dmz-vpn-external,outside) SMHVPN01-Public SMHVPN01-Public netmask 255.255.255.255 0 0

static (inside,dmz-vpn-external) SMH-Internal SMH-Internal netmask 255.255.0.0 0 0

static (inside,dmz-SMH) SMHsqlr SMHsqlr netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMHsqlv3 SMHsqlv3 netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-virusscan SMH-virusscan netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMHiba SMHiba netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-dc1 SMH-dc1 netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-dc2 SMH-dc2 netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-citrixa SMH-citrixa netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-citrixb SMH-citrixb netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-citrixc SMH-citrixc netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-rsa01 SMH-rsa01 netmask 255.255.255.255 0 0

static (inside,dmz-SMH) SMH-citrixweb2 SMH-citrixweb2 netmask 255.255.255.255 0 0

static (inside,dmz-unimelb) SMH-Printsvr-PUB SMH-Printsvr netmask 255.255.255.255 0 0

static (inside,dmz-unimelb) Tierbase-PUB SMH-pas-s netmask 255.255.255.255 0 0

static (inside,dmz-remote) SVH_SGH SVH_SGH netmask 255.255.240.0 0 0

nat (dmz-SMH) 0 SMH-gw01 255.255.255.255 0 0

nat (dmz-SMH) 0 oncology-SMH-gw01 255.255.255.255 0 0

nat (dmz-SMH) 0 ccbedstate-SMH-gw01 255.255.255.255 0 0

nat (dmz-SMH) 0 SMH-citrixgw1 255.255.255.255 0 0

nat (dmz-remote) 0 LAN-BoorondCRC 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-DarebinH 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-Dandenong 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-BarklaySt 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-CambridgeH 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-CambridgeCRC 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-Hoppers 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-RiversideH 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-AuburnH 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-MercyWerrib 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-MercyEM192 255.255.255.0 0 0

nat (dmz-remote) 0 LAN-MercyEM128 255.255.252.0 0 0

nat (dmz-remote) 0 0.0.0.0 0.0.0.0 0

pgalligan · ‎03-07-2006

"Also If I nat static (inside,outside) My whole network goes offline to connect to the external world"

Yes, I should have remembered the outside world connectivity requirement :) It should have fixed the problem between the private addresses though (assuming the outside ACL is permitting the required traffic)?

Try the following:

access-list outside_nat0_inbound permit ip 10.3.255.0 255.255.255.0 10.3.49.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_inbound outside

This tells the pix to exempt the traffic in that access-list from NAT. The 'outside' parameter is enabling 'outside NAT', also called bi-directional NAT.

The reason pinging to the outside is working is either because your inside_outbound_nat0_acl permits 10.3.49.0 -> 10.3.255.0 (which is exempting that traffic from NAT) or there is a global (outside) 10 interface (or similar) command, which is NATing the inside traffic to the outside interface address (or other other valid outside address).

sivakumar.ks · ‎03-07-2006

Hi,

I tried the above option , but still not working. But I can find access-list log hitcount increasing for every request time out packet.

Expecting your reply to fix this issue.

pgalligan · ‎03-08-2006

Which access-list has the hitcount increasing? ie. The nat0 ACL, outside ACL, inside ACL...

You will still need the appropriate entries in the ACL for inside and outside interfaces to allow the traffic.

sivakumar.ks · ‎03-08-2006

access-list outside_nat0_inbound line 1 permit ip 10.3.255.0 255.255.255.0 10.3.49.0 255.255.255.0 (hitcnt=5710)

This is the access list getting hit count.