Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't ping ethernet2 or outside PIX520 1

Status
Not open for further replies.
burtsbees

burtsbees

Programmer
Jan 29, 2007
7,657
US
Here we go again...topology:

2503-PIX-switch-2620-2610-1720--T1--1750-PC1
|
|
PC2

sh run of PIX

PIX# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 10full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 lan security99
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
enable password EuPnUzlHyfrgSXBz encrypted
passwd w8xHKAPhmJ2QFL84 encrypted
hostname PIX
domain-name sms.stlouis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any source-quench
access-list ping permit icmp any any
access-list ping permit ip any any
access-list ping permit tcp any any
access-list ping permit icmp any any unreachable
access-list ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu lan 1500
mtu intf3 1500
mtu intf4 1500
no ip address outside
ip address inside 192.168.254.254 255.255.255.0
ip address lan 10.1.1.1 255.255.255.0
no ip address intf3
no ip address intf4
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address lan
no failover ip address intf3
no failover ip address intf4
pdm history enable
arp timeout 14400
access-group ping in interface outside
access-group ping in interface inside
access-group ping in interface lan
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
route inside 192.168.1.0 255.255.255.252 192.168.254.252 1
route inside 192.168.1.4 255.255.255.252 192.168.254.252 1
route inside 192.168.1.8 255.255.255.252 192.168.254.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.69.108 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.1.1 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.252 inside
telnet 192.168.1.4 255.255.255.252 inside
telnet 192.168.1.8 255.255.255.252 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username r00t password gmBe62bV3ETKY/fA encrypted privilege 15
terminal width 80
Cryptochecksum:beee81ea120c045352d3d38f9290c4d0
: end
PIX#

I can ping everything from the PIX. I cannot ping the PIX lan from anything. Help. Please. Garnetbobcat? Unclerico?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Sort by date Sort by votes
ok, from a host on 192.168.254.0/24 try to ping 10.1.1.2

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I am giving up for today...:(

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
booo!!!! hiss hiss!!!! do you have access to PIX OS v7.0 or above??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Yes, but the 520 can only go to 6.3

I may look into a 501 or 515...

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
doh, I forgot you're running the 520

so did you try going from a host on the inside to the 10.1.1.2??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Yes. Also from a router, but host meaning pc. I go from the farthest or the closest router to the PIX on either side in the topology. I could swear I was able to ping through. Ping is the ultimate test, but I have a pc on either end. I guess I could try and make an RDP acl like I had in a previous lab. All I am looking for is connectivity all the way through. I have no idea what "no route" messages mean in the PIX. The two are friggin directly connected!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Let's try this:
1) Remove
Code: 
global (outside) 1 interface  
static (inside,outside) 192.168.254.0 192.168.254.0 netmask 255.255.255.0 0 0   
static (outside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.248 0 0
2) Add
Code: 
access-list INSIDE_NONAT extended permit ip 192.168.254.0 255.255.255.0 any

nat (inside) 0 access-list INSIDE_NONAT
From a PC on the 192.168.254.0 network try to ping anything on the outside (aside from the PIX outside interface). If this works then we'll add in the piece for the outside to the inside.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
OK, but this lab is at work. Guess where I am not...lol

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Yes! Cannot ping 10.1.1.1, but CAN ping 10.1.1.2

So...

access-list OUTSIDE_NONAT permit ip 10.1.1.0 any
nat (outside) 0 access-list OUT

That works for anything outside pinging the other side of 192.168.254.254, i.e. the inside of the PIX. Now 192.168.1.1 cannot ping 192.168.254.254, but anything after it can, and the PIX can ping 192.168.1.1

192.168.254.0/24 shows up in the routing table as an EIGRP learned route in 192.168.1.1

WTF?!?!?!!

Who cares---got the main obstacle out of the way...

PIX# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
nameif ethernet0 outside security0
nameif ethernet1 lan3 security99
nameif ethernet2 lan security99
nameif ethernet3 lalla security99
nameif ethernet4 inside security100
enable password EuPnUzlHyfrgSXBz encrypted
passwd w8xHKAPhmJ2QFL84 encrypted
hostname PIX
domain-name sms.stlouis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping permit icmp any any
access-list ping permit icmp any any echo
access-list ping permit icmp any any echo-reply
access-list ping permit icmp any any time-exceeded
access-list ping permit icmp any any source-quench
access-list ping permit icmp any any unreachable
access-list ping permit ip any any
access-list ping permit tcp any any eq 3389
access-list ping permit udp any any eq netbios-ns
access-list ping permit udp any any eq 3389
access-list INSIDE_NONAT permit ip 192.168.254.0 255.255.255.0 any
access-list OUT permit ip 10.1.1.0 255.255.255.248 any
pager lines 24
logging on
logging console debugging
logging buffered debugging
mtu outside 1500
mtu lan3 1500
mtu lan 1500
mtu lalla 1500
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.248
no ip address lan3
no ip address lan
no ip address lalla
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address lan3
no failover ip address lan
no failover ip address lalla
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list OUT
nat (inside) 0 access-list INSIDE_NONAT
static (inside,outside) 192.168.254.0 192.168.254.0 netmask 255.255.255.0 0 0
static (outside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.248 0 0
access-group ping in interface outside
access-group ping in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
route inside 192.168.1.0 255.255.255.0 192.168.254.252 1
route inside 192.168.1.4 255.255.255.252 192.168.254.252 1
route inside 192.168.1.8 255.255.255.252 192.168.254.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.69.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.69.0 255.255.255.0 outside
telnet 192.168.5.1 255.255.255.255 outside
telnet 192.168.3.0 255.255.255.252 outside
telnet 192.168.1.4 255.255.255.252 inside
telnet 192.168.1.0 255.255.255.252 inside
telnet 192.168.1.8 255.255.255.252 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username r00t password gmBe62bV3ETKY/fA encrypted privilege 15
terminal width 80
Cryptochecksum:51f8d44efe3197bc5bae417ab8d68feb
: end
PIX#

I cannot ping anything beyond 192.168.254.252 (router directly connected to PIX inside), including anything on the outside of the PIX, but I can ping the inside of the PIX. From 192.168.254.254 I can ping everything on the outside of the PIX...the previous was working before---EIGRP lost its mind (user error...lol)---I added a route in the PIX to the MLPPP between the 1750 and 1720, and got rid of a static route in the 1720, and no redist static, except in the 2620.

I think I'll just do static routes...for now...lol

Thanks again uncle!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
because of all of the different networks that you have you may want to alter both of your NONAT ACLs to be this:
Code: 
access-list INSIDE_NONAT extended permit ip any any

access-list OUTSIDE_NONAT extended permit ip any any
as it is right now only traffic coming from 192.168.254.0/24 from the inside to the outside is bypassing NAT and only traffic comfing from 10.1.1.0/30 is bypassing NAT coming from the outside to the inside so that may be why you are still seeing connectivity issues.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Had a few issues with routing in the routers, actually, but I have torn the lab down for a new one now. My main issue has been solved, but I will keep the any any in mind.Thanks again for yo help, bro.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
beaners homie

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Next is OSPF over IPSEC tunnels, as well as refreshers on AAA, and a new DMVPN setup (never dealt with those)...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
537
Johnkite
Johnkite
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
94
Garbear
Garbear
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
118
Russtoleum
Russtoleum
ttrsux
  • Locked
  • Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
217
ttrsux
ttrsux
cambo2k
  • Locked
  • Question
Watchguard or Cisco?
Replies
1
Views
130
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top