Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
7
Replies

Telnet through, but only if you ping from inside first.

raygibson
Level 1
Level 1

‎04-29-2002 07:29 AM - edited ‎03-08-2019 10:28 PM

I've got a PIX 506 setup in a test lab. I'm allowing Telnet and ICMP through.Machine A insideMachine X outsideMachine X pings machine a. No response. Machine A pings X, response received. Then machine X can Ping A.Once X pings A, Telnet works.

It's like the PIX sleeps until an internal client wakes it up. It then allows traffic through.

Have you seen this before?

Thanks in advance..

Ray

Labels:
0 Helpful
7 Replies 7

bz
Level 1
Level 1

‎04-29-2002 10:03 AM

Looks like you are missing a static statement...

0 Helpful

raygibson
Level 1
Level 1
In response to bz

‎04-29-2002 10:18 AM

Pix

Inside 192.168.100.242

Outside 192.168.101.249

Machine A (inside) 192.168.100.118

Machine X (outside) 192.168.101.192

Would the static route be: 192.168101.0 255.255.255.0 GW:192.168.100.242?

0 Helpful

bz
Level 1
Level 1
In response to raygibson

‎04-29-2002 03:48 PM

If you want Machine A to be acccessible from the outside, you'll need:

static (inside,outside) 192.168.101.249 192.168.101.249 255.255.255.255

0 Helpful

dacurtiss
Level 1
Level 1
In response to bz

‎04-29-2002 05:37 PM

If the 506 has the show commands like the 515 and 525, you can see what's occurring when you do a 'show xlate' command.

Assuming you haven't applied the above static...

-do a clear xlate (clears the translations)

-quickely do a 'show xlate' several times (you can see the translations building that are represented by either the statics you configure, or dynamic entries that the firewall creates when inside resources identify themselves to the firewall, such as with a ping to an outside resource)

-the xlates have a timeout (3:00:00 probably the default), so will live that long.

-the outside resource can access the inside because you have a 'hole' of somekind defined, AND a valid xlate 'lives' in the table.

-when a dynamic entry expires, the outside resource cant get to it until the xlate is recreated in the table.

See also your logs. There should be an entry that says, something along the lines of - no translation or no xlate entry exists (for the inside address you're attempting to reach). I'd have to look in my early logs for the exact syntax, but you get the idea.

A final note - the example of the static that has been suggested to you above, assumes you're not doing NAT.

0 Helpful

raygibson
Level 1
Level 1
In response to dacurtiss

‎04-30-2002 11:21 AM

First of All, Thanks for all of the responses!

The 506 does have the sh commands.

I added the static route, see routes below:

It would not let me add 192.168.101.249 255.255.255.255 192.168.101.249 1 on the inside as it said that it had the same metric.

Result of PIX command: "sh route"

inside 192.168.100.0 255.255.255.0 192.168.100.242 1 CONNECT static

outside 192.168.101.0 255.255.255.0 192.168.101.249 1 CONNECT static

outside 192.168.101.249 255.255.255.255 192.168.101.249 1 OTHER static

I then did a sh xlate:

Result of PIX command: "sh xlate"

1 in use, 1 most used

Global 192.168.100.252 Local 192.168.100.252

The only time that I could see anything in xlate is when Machine A pings X. If I clear xlate I can no longer connect. Makes Sense, Thanks bz.

However, I still can not connect to machine A inside without machine A first identifying itself to the firewall, then it dies as the timeout expires.

Would someone please give me more assistance with the static routes?

THANKS in advance.

ray

ps. I'm not using NAT.

0 Helpful

bz
Level 1
Level 1
In response to raygibson

‎04-30-2002 01:06 PM

Why did you add 'outside 192.168.101.249 255.255.255.255 192.168.101.249 1 OTHER static'?

This is the same as 'outside 192.168.101.0 255.255.255.0 192.168.101.249 1 CONNECT static'

What I told you to add is a static command not a route command...but I did make a mistake in my previous statement, it should be:

static (inside,outside) 192.168.100.118 192.168.100.118 255.255.255.255

This statement is needed because you want Machine A (192.168.100.118) to be accessible from the outside...hope this helps!

0 Helpful

JOHN NIKOLATOS
Level 3
Level 3

‎04-30-2002 03:26 PM

basic rule of thumb.

Add a static NAT translation and then

Add conduit statements or access lists to allow access to it.

What you would need is this: (Pick an ip address outside on the 101 network to be translated to the inside example... lets say 192.168.101.248) Then to get to the inside address of 192.168.100.118 your outside addresses would have to point to this new IP address of -> 192.168.101.248.

static (inside,outside) 192.168.101.248 192.168.100.118 netmask 255.255.255.255 0 0

This is saying to the firewall "If anything wants to get to 192.168.101.248 send it to 192.168.100.18"

Now add the conduit for it.

conduit permit icmp any any

conduit permit tcp host 192.168.101.248 eq telnet any

Tell us how you make out.

0 Helpful
Customers Also Viewed These Support Documents