Can't ping ethernet2 or outside PIX520 1

[burtsbees]

Here we go again...topology:

2503-PIX-switch-2620-2610-1720--T1--1750-PC1
|
|
PC2

sh run of PIX

PIX# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 10full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 lan security99
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
enable password EuPnUzlHyfrgSXBz encrypted
passwd w8xHKAPhmJ2QFL84 encrypted
hostname PIX
domain-name sms.stlouis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any source-quench
access-list ping permit icmp any any
access-list ping permit ip any any
access-list ping permit tcp any any
access-list ping permit icmp any any unreachable
access-list ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu lan 1500
mtu intf3 1500
mtu intf4 1500
no ip address outside
ip address inside 192.168.254.254 255.255.255.0
ip address lan 10.1.1.1 255.255.255.0
no ip address intf3
no ip address intf4
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address lan
no failover ip address intf3
no failover ip address intf4
pdm history enable
arp timeout 14400
access-group ping in interface outside
access-group ping in interface inside
access-group ping in interface lan
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
route inside 192.168.1.0 255.255.255.252 192.168.254.252 1
route inside 192.168.1.4 255.255.255.252 192.168.254.252 1
route inside 192.168.1.8 255.255.255.252 192.168.254.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.69.108 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.1.1 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.252 inside
telnet 192.168.1.4 255.255.255.252 inside
telnet 192.168.1.8 255.255.255.252 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username r00t password gmBe62bV3ETKY/fA encrypted privilege 15
terminal width 80
Cryptochecksum:beee81ea120c045352d3d38f9290c4d0
: end
PIX#

I can ping everything from the PIX. I cannot ping the PIX lan from anything. Help. Please. Garnetbobcat? Unclerico?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ADB100]

The ACL's you have only apply to traffic going through the PIX. For ICMP traffic destined to the actual PIX you need to enable ICMP on the interfaces:

icmp permit 0.0.0.0 0.0.0.0 echo-reply inside

This will enable any device on the inside to ping the PIX inside interface. Be careful though as you might not want this behaviour. You can enable all ICMP packets by omitting the 'echo-reply' or you can just enable other ICMP packets - type ? and see what the options are.

HTH

Andy

 

[burtsbees]

I can ping the inside interface just fine, but not "lan", nor through the PIX...

I will try that command to at least ping the lan interface. The problem pinging through may be the fact that a 2503 that does not support VLSM with EIGRP is on the lan interface. I want to be able to at least ping the lan interface...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Trying the cable now...

le bumpe

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

New...

topology is the same

interface ethernet4=inside, sec100
ip add=192.168.254.254

interface ethernet0=outside, sec0
ip add-10.1.1.1

connected to 10.1.1.1 is a 2620, ip add 10.1.1.2/30
on the other side is 192.168.69.0/24

My laptop resides on 69.0/24
my laptop can ping the outside interface(PIX). It cannot ping the inside interface (PIX), nor through it.

On the inside interface of the PIX (192.168.254/0) resides a 2620 (connected to the PIX and a workstation via C2980G switch). On the other side goes
2610--1720--1750--workstation.

The PIX can ping all networks.

The 1750 can ping the inside interface of the PIX, but not the outside. Same with everything else connected to the inside nw of the PIX...

I cannot ping through the PIX. New sh run...

NAS#telnet 192.168.254.254
Trying 192.168.254.254 ... Open


User Access Verification

Password:
Type help or '?' for a list of available commands.
PIX> en
Password: ********
PIX# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
nameif ethernet0 outside security0
nameif ethernet1 lan3 security99
nameif ethernet2 lan security99
nameif ethernet3 lalla security99
nameif ethernet4 inside security100
enable password EuPnUzlHyfrgSXBz encrypted
passwd w8xHKAPhmJ2QFL84 encrypted
hostname PIX
domain-name sms.stlouis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any source-quench
access-list ping permit icmp any any
access-list ping permit ip any any
access-list ping permit tcp any any
access-list ping permit icmp any any unreachable
access-list ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu lan3 1500
mtu lan 1500
mtu lalla 1500
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.252
no ip address lan3
no ip address lan
no ip address lalla
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address lan3
no failover ip address lan
no failover ip address lalla
no failover ip address inside
pdm history enable
arp timeout 14400
access-group ping in interface outside
access-group ping in interface lan3
access-group ping in interface lan
access-group ping in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
route inside 192.168.1.0 255.255.255.0 192.168.254.252 1
route inside 192.168.1.4 255.255.255.252 192.168.254.252 1
route inside 192.168.8.0 255.255.255.252 192.168.254.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.69.108 255.255.255.255 lan3
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.69.0 255.255.255.0 outside
telnet 192.168.1.4 255.255.255.252 inside
telnet 192.168.1.0 255.255.255.252 inside
telnet 192.168.1.8 255.255.255.252 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username r00t password gmBe62bV3ETKY/fA encrypted privilege 15
terminal width 80
Cryptochecksum:f0d0c41c13c47c617727715f5d70367e
: end
PIX#

So far, Andy has helped, but I can already ping the interfaces of the PIX from their respective sides, i.e. all nodes on the outside of the PIX can ping the outside interface, and all nodes on the inside can ping the inside interface. Here is a sh run of the 1750 connected all the way at the end, 5 hops away from the PIX...as well as sh ip route

NAS#192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Username: r00t
Password:
Bonded-T1-1750#sh run
Building configuration...

Current configuration : 1263 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Bonded-T1-1750
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$qi5b$6Nhh2ORPwR3M9FlGt0TGJ/
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip host R1720 192.168.1.2
ip host R2610 192.168.1.6
ip name-server 68.94.156.1
ip name-server 68.94.157.1
!
ip cef
ip audit po max-events 100
!
!
username r00t privilege 15 secret 5 $1$FSxA$iAAtAbVShDiy5PYPw9akm/
!
!
!
!
!
!
interface Multilink1
ip address 10.10.10.10 255.255.255.252
ppp multilink
ppp multilink group 1
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.252
speed auto
!
interface Serial0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial1
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
router eigrp 69
redistribute static
network 10.10.10.8 0.0.0.3
network 192.168.1.0 0.0.0.3
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.9
no ip http server
no ip http secure-server
!
!
!
!
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
login local
!
end

Bonded-T1-1750#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.10.9 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C 10.10.10.8/30 is directly connected, Multilink1
C 10.10.10.9/32 is directly connected, Multilink1
D EX 10.1.1.0/24 [170/4734976] via 10.10.10.9, 18:55:10, Multilink1
D 192.168.254.0/24 [90/4734976] via 10.10.10.9, 22:47:56, Multilink1
192.168.1.0/30 is subnetted, 3 subnets
D 192.168.1.8 [90/4732416] via 10.10.10.9, 22:48:00, Multilink1
C 192.168.1.0 is directly connected, FastEthernet0
D 192.168.1.4 [90/3391488] via 10.10.10.9, 23:45:04, Multilink1
D EX 192.168.69.0/24 [170/4734976] via 10.10.10.9, 00:12:42, Multilink1
S* 0.0.0.0/0 [1/0] via 10.10.10.9
Bonded-T1-1750#

As you can see, the 10.1.1.0/30 nw is advertised externally (redist stat in eigrp 69), so the router (and obviously all routers in between) knows/know about the outside nw to the PIX, as well as the next hop from the PIX (69.0/24).

Please help. WHere all ye security gurus? WHere is the Garnetbobcat and brianinms????

HEEEEEELLLLLPPPPP!!!!!!


/




tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

The 1750 can ping the inside interface of the PIX, but not the outside. Same with everything else connected to the inside nw of the PIX...

So the 1750, the one at the very end on the right can ping to the inside interface but not the outside even though it is technically on the outside??

The 2503, it can't ping anything beyond the inside of the PIX??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

No---1750 on the inside, 2620 (was 2503) on the outside

1750---can ping inside, not outside nor through

2620---can ping outside, not inside nor through

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

It's late, I had a phenomenal leg workout and am totally drained so things are not connecting right now. Do me a favor and re-post your topology one more time as some things are just not connecting right now.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

OK

R1--T1--R2--R3--R4--switch1--PIX--R5--R6--switch2---pc's

Attached to the first switch is one PC. Attached to R1 is a pc with a crossover cable, straight to fa0.

R1=1750
R2=1720
Those two are connected with MLPPP T1 crossover cables, back to back
R3=2610
R4=2620
R5=2620
R6=3640 (production edge router)

R1-R4 and switch1 lead to ethernet4, or "inside" on the PIX. They can all ping the inside interface.
R5 and R6 and all pc's lead to the outside interface of the PIX, and can all ping it (outside).

Nothing can ping the opposite PIX interface, i.e. R1-R4 cannot ping outside, andf R5-R^+pc's cannot ping inside interface.

NOTHING can ping through the PIX, i.e. R1 cannot ping R5 and vice-versa.

The PIX can ping everything, though I have not tried an extended ping from the PIX to be able to source a specific interface like one can with a Cisco router. Can you do that?

I have VPN access to my edge production router, so I can get to R5, R6 and the PIX from home, but since the PIX cannot telnet, or since nothing can connect (even telnet) through the PIX, I cannot get to R1-R4. Sounds like a routing issue, huh? The R1 knows about R4--PIX network (192.168.254.0/24) from EIGRP EX route in the routing table. I can ping .252 from R1 (R4) but cannot ping .254 (PIX). They are both (R4 and PIX) connected to eachother by the same switch. I had connectivity in a similar topology, PIX and pc at one end, 4 routers on the other side, and pc2, but I had routes built in the 4 middle routers, and VPN crypto maps in the edge router on the one end and the PIX. Maybe I will just do that, just switch the 1750 and 1720 since the 1750 has the k9 IOS...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

you're right, off the top it sounds like a routing issue, but as you pointed out the routes are being distributed. Here's what I'm thinking, and forgive me if my memory is hazy at the old age of 30, but I believe on any PIX OS version less than 7.0 you are required to use NAT in some form, whether it is NAT Exemption or otherwise. You should enable logging on the PIX and see if there are any errors along the line of No Translation found for such and such.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

30?

LOL!

I'm only 38, and THAT's not old!

Of course, I should not have waited until 33 before I decided to start thinking about this thing they call Cisco...

I guess I could NAT and try it---that is what I was thinking also...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Nope

PIX(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
nameif ethernet0 outside security0
nameif ethernet1 lan3 security99
nameif ethernet2 lan security99
nameif ethernet3 lalla security99
nameif ethernet4 inside security100
enable password EuPnUzlHyfrgSXBz encrypted
passwd w8xHKAPhmJ2QFL84 encrypted
hostname PIX
domain-name sms.stlouis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping permit icmp any any
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any time-exceeded
access-list ping permit icmp any any source-quench
access-list ping permit icmp any any unreachable
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu lan3 1500
mtu lan 1500
mtu lalla 1500
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.248
no ip address lan3
no ip address lan
no ip address lalla
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address lan3
no failover ip address lan
no failover ip address lalla
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 10.1.1.3
nat (inside) 1 192.168.254.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
route inside 192.168.1.0 255.255.255.0 192.168.254.252 1
route inside 192.168.1.4 255.255.255.252 192.168.254.252 1
route inside 192.168.8.0 255.255.255.252 192.168.254.252 1
route outside 192.168.69.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.69.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.69.0 255.255.255.0 outside
telnet 192.168.1.4 255.255.255.252 inside
telnet 192.168.1.0 255.255.255.252 inside
telnet 192.168.1.8 255.255.255.252 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username r00t password gmBe62bV3ETKY/fA encrypted privilege 15
terminal width 80
Cryptochecksum:361afe104894c3ef0d0ec8e36ddd842a
: end
PIX(config)# conf t
PIX(config)# access-group ping in interface outside
PIX(config)# access-group ping in interface inside
PIX(config)# 32: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=0
33: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8139 seq=80460
34: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8140 seq=80460
35: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8141 seq=80460
36: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8142 seq=80460

PIX(config)#
LAB_B#ping 192.168.254.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

It sees pings...

LAB_B#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 m

PIX(config)# 32: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=0
33: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8139 seq=80460
34: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8140 seq=80460
35: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8141 seq=80460
36: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=8142 seq=80460

PIX(config)# 37: ICMP echo request (len 72 id 8973 seq 5332) 10.1.1.2 > 10.1.1.1
38: ICMP echo reply (len 72 id 8973 seq 5332) 10.1.1.1 > 10.1.1.2
39: ICMP echo request (len 72 id 9229 seq 5332) 10.1.1.2 > 10.1.1.1
40: ICMP echo reply (len 72 id 9229 seq 5332) 10.1.1.1 > 10.1.1.2
41: ICMP echo request (len 72 id 9485 seq 5332) 10.1.1.2 > 10.1.1.1
42: ICMP echo reply (len 72 id 9485 seq 5332) 10.1.1.1 > 10.1.1.2
43: ICMP echo request (len 72 id 9741 seq 5332) 10.1.1.2 > 10.1.1.1
44: ICMP echo reply (len 72 id 9741 seq 5332) 10.1.1.1 > 10.1.1.2
45: ICMP echo request (len 72 id 9997 seq 5332) 10.1.1.2 > 10.1.1.1
46: ICMP echo reply (len 72 id 9997 seq 5332) 10.1.1.1 > 10.1.1.2


PIX(config)#
PIX(config)# ping 192.168.254.252
52: ICMP echo request (len 32 id 9233 seq 0) 192.168.254.254 > 192.168.254.252
53: ICMP echo reply (len 32 id 9233 seq 0) 192.168.254.252 > 192.168.254.254
192.168.254.252 response received -- 10ms
54: ICMP echo request (len 32 id 9233 seq 1) 192.168.254.254 > 192.168.254.252
55: ICMP echo reply (len 32 id 9233 seq 1) 192.168.254.252 > 192.168.254.254
192.168.254.252 response received -- 0ms
56: ICMP echo request (len 32 id 9233 seq 2) 192.168.254.254 > 192.168.254.252
57: ICMP echo reply (len 32 id 9233 seq 2) 192.168.254.252 > 192.168.254.254
192.168.254.252 response received -- 0ms
PIX(config)# ping 192.168.69.1
58: ICMP echo request (len 32 id 9233 seq 0) 10.1.1.1 > 192.168.69.1
59: ICMP echo reply (len 32 id 9233 seq 0) 192.168.69.1 > 10.1.1.1
192.168.69.1 response received -- 10ms
60: ICMP echo request (len 32 id 9233 seq 1) 10.1.1.1 > 192.168.69.1
61: ICMP echo reply (len 32 id 9233 seq 1) 192.168.69.1 > 10.1.1.1
192.168.69.1 response received -- 0ms
62: ICMP echo request (len 32 id 9233 seq 2) 10.1.1.1 > 192.168.69.1
63: ICMP echo reply (len 32 id 9233 seq 2) 192.168.69.1 > 10.1.1.1
192.168.69.1 response received -- 0ms

LAB_B#ping 192.168.254.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.252, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

PIX(config)# 47: ICMP echo-request from outside:10.1.1.2 to 192.168.254.252 ID=0
48: ICMP echo-request from outside:10.1.1.2 to 192.168.254.252 ID=714 seq=2932 0
49: ICMP echo-request from outside:10.1.1.2 to 192.168.254.252 ID=715 seq=2932 0
50: ICMP echo-request from outside:10.1.1.2 to 192.168.254.252 ID=716 seq=2932 0
51: ICMP echo-request from outside:10.1.1.2 to 192.168.254.252 ID=717 seq=2932 0

PIX(config)# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PIX up 1 day 17 hours

Hardware: SE440BX2, 384 MB RAM, CPU Pentium II 350 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00e0.b602.0557, irq 11
1: ethernet1: address is 00e0.b602.0556, irq 10
2: ethernet2: address is 00e0.b602.0555, irq 15
3: ethernet3: address is 00e0.b602.0554, irq 9
4: ethernet4: address is 000e.0cb5.98fa, irq 10
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 12
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 18042905 (0x1135019)
Running Activation Key: 0xae30d965 0x4f250ac4 0x91bb48eb 0x8996d457
Configuration last modified by enable_15 at 07:37:55.582 UTC Fri Jul 10 2009


WHAT GIVES?!?!?!?!

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

ok so just for kicks, enable logging on the PIX

logging on
logging buffered debug

From your 192.168.254.252 host ping 10.1.1.2 and post the output from the buffer

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

PIX(config)# 95: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=0
305005: No translation group found for icmp src outside:10.1.1.2 dst inside:192)
96: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4868 seq=673 0
305005: No translation group found for icmp src outside:10.1.1.2 dst inside:192)
97: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4869 seq=673 0
305005: No translation group found for icmp src outside:10.1.1.2 dst inside:192)
98: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4870 seq=673 0
305005: No translation group found for icmp src outside:10.1.1.2 dst inside:192)
99: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4871 seq=673 0
305005: No translation group found for icmp src outside:10.1.1.2 dst inside:19



tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

PIX(config)# 105: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID0
106: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
609001: Built local-host inside:255.255.255.254
305009: Built static translation from inside:255.255.255.254 to outside:192.1684
110001: No route to 255.255.255.254 from 10.1.1.2
107: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=7066 seq=8750
108: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
109: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=7067 seq=8750
110: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
111: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=7068 seq=8750
112: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
113: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=7069 seq=8750
114: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554

PIX(config)# sh run | incl static
static (outside,inside) 10.1.1.0 255.255.255.248 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.254.0 255.255.255.0 netmask 255.255.255.0 0

LAB_B#ping 192.168.254.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)



tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

changed static

static (outside,inside)192.168.254.254 10.1.1.1

110001: No route to 255.255.255.254 from 192.168.254.254

and then all the messages about no translation. I am about to say "fork this" and just create a site to site vpn---that worked!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

post your PIX config one more time with the changes that you've made. You're almost there, I can feel it mayn!!!

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

PIX(config)# 271: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID0
272: ICMP echo-request: translating outside:10.1.1.2 to inside:192.168.254.254
273: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
110001: No route to 255.255.255.254 from 192.168.254.254
274: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4329 seq=6380
275: ICMP echo-request: translating outside:10.1.1.2 to inside:192.168.254.254
276: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
277: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4330 seq=6380
278: ICMP echo-request: translating outside:10.1.1.2 to inside:192.168.254.254
279: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
280: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4331 seq=6380
281: ICMP echo-request: translating outside:10.1.1.2 to inside:192.168.254.254
282: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
283: ICMP echo-request from outside:10.1.1.2 to 192.168.254.254 ID=4332 seq=6380
284: ICMP echo-request: translating outside:10.1.1.2 to inside:192.168.254.254
285: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554

PIX(config)#
PIX(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
nameif ethernet0 outside security0
nameif ethernet1 lan3 security99
nameif ethernet2 lan security99
nameif ethernet3 lalla security99
nameif ethernet4 inside security100
enable password EuPnUzlHyfrgSXBz encrypted
passwd w8xHKAPhmJ2QFL84 encrypted
hostname PIX
domain-name sms.stlouis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping permit icmp any any
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any time-exceeded
access-list ping permit icmp any any source-quench
access-list ping permit icmp any any unreachable
pager lines 24
logging on
logging console debugging
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu lan3 1500
mtu lan 1500
mtu lalla 1500
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.248
no ip address lan3
no ip address lan
no ip address lalla
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address lan3
no failover ip address lan
no failover ip address lalla
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 10.1.1.3
static (outside,inside) 10.1.1.1 255.255.255.255 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.254.254 255.255.255.255 netmask 255.255.255.255
access-group ping in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
route inside 192.168.1.0 255.255.255.0 192.168.254.252 1
route inside 192.168.1.4 255.255.255.252 192.168.254.252 1
route outside 192.168.5.0 255.255.255.252 10.1.1.1 1
route inside 192.168.8.0 255.255.255.252 192.168.254.252 1
route outside 192.168.69.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.69.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.69.0 255.255.255.0 outside
telnet 192.168.1.4 255.255.255.252 inside
telnet 192.168.1.0 255.255.255.252 inside
telnet 192.168.1.8 255.255.255.252 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username r00t password gmBe62bV3ETKY/fA encrypted privilege 15
terminal width 80
Cryptochecksum:361afe104894c3ef0d0ec8e36ddd842a
: end
PIX(config)# 111009: User 'enable_15' executed cmd: show running-config


/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

see if this helps:

global (outside) 1 interface
static (inside,outside) 192.168.254.0 192.168.254.0 netmask 255.255.255.0
static (outside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.248

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Nope

SMS-STL-Edge>ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
SMS-STL-Edge>ping 192.168.254.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SMS-STL-Edge>

PIX(config)# 292: ICMP echo request (len 72 id 6144 seq 0) 192.168.5.2 > 10.1.11
293: ICMP echo reply (len 72 id 6144 seq 0) 10.1.1.1 > 192.168.5.2
294: ICMP echo request (len 72 id 6144 seq 1) 192.168.5.2 > 10.1.1.1
295: ICMP echo reply (len 72 id 6144 seq 1) 10.1.1.1 > 192.168.5.2
296: ICMP echo request (len 72 id 6144 seq 2) 192.168.5.2 > 10.1.1.1
297: ICMP echo reply (len 72 id 6144 seq 2) 10.1.1.1 > 192.168.5.2
298: ICMP echo request (len 72 id 6144 seq 3) 192.168.5.2 > 10.1.1.1
299: ICMP echo reply (len 72 id 6144 seq 3) 10.1.1.1 > 192.168.5.2
300: ICMP echo request (len 72 id 6144 seq 4) 192.168.5.2 > 10.1.1.1
301: ICMP echo reply (len 72 id 6144 seq 4) 10.1.1.1 > 192.168.5.2
302: ICMP echo-request from outside:192.168.5.2 to 192.168.254.254 ID=25 seq=0 0
303: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
110001: No route to 255.255.255.254 from 192.168.5.2
304: ICMP echo-request from outside:192.168.5.2 to 192.168.254.254 ID=25 seq=1 0
305: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
306: ICMP echo-request from outside:192.168.5.2 to 192.168.254.254 ID=25 seq=2 0
307: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
308: ICMP echo-request from outside:192.168.5.2 to 192.168.254.254 ID=25 seq=3 0
309: ICMP echo-request: untranslating outside:192.168.254.254 to inside:255.2554
310: ICMP echo-request from outside:192.168.5.2 to 192.168.254.254 ID=25 seq=4 0

PIX(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
nameif ethernet0 outside security0
nameif ethernet1 lan3 security99
nameif ethernet2 lan security99
nameif ethernet3 lalla security99
nameif ethernet4 inside security100
enable password EuPnUzlHyfrgSXBz encrypted
passwd w8xHKAPhmJ2QFL84 encrypted
hostname PIX
domain-name sms.stlouis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping permit icmp any any
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any time-exceeded
access-list ping permit icmp any any source-quench
access-list ping permit icmp any any unreachable
pager lines 24
logging on
logging console debugging
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu lan3 1500
mtu lan 1500
mtu lalla 1500
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.248
no ip address lan3
no ip address lan
no ip address lalla
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address lan3
no failover ip address lan
no failover ip address lalla
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) 192.168.254.0 192.168.254.0 netmask 255.255.255.0 0 0
static (outside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.248 0 0
access-group ping in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
route inside 192.168.1.0 255.255.255.0 192.168.254.252 1
route inside 192.168.1.4 255.255.255.252 192.168.254.252 1
route outside 192.168.5.0 255.255.255.252 10.1.1.2 1
route inside 192.168.8.0 255.255.255.252 192.168.254.252 1
route outside 192.168.69.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.69.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.69.0 255.255.255.0 outside
telnet 192.168.1.4 255.255.255.252 inside
telnet 192.168.1.0 255.255.255.252 inside
telnet 192.168.1.8 255.255.255.252 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username r00t password gmBe62bV3ETKY/fA encrypted privilege 15
terminal width 80
Cryptochecksum:361afe104894c3ef0d0ec8e36ddd842a
: end
PIX(config)# 111009: User 'enable_15' executed cmd: show running-config

//


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!