Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

nat/global/static icmp hell

Status
Not open for further replies.
wallace1819

wallace1819

MIS
Aug 4, 2003
1
0
0
US

Hi,

I'm new to the pix and although I've been rtfm and googling I can't seem to find the answer to a couple questions I have. Hope you all can help.

My net setup...

|-----|
internet---router---outside| |inside
|-----|
dmz

outside interface = xxx.246.9.60 security0
inside interface = 192.168.0.1 security100
dmz interface = 172.16.0.1 security50

inside network = 192.168.0.0/25
dmz network = 172.16.0.0/25

one server in dmz = 172.16.0.2 (public address xxx.xxx.9.42)

I have a pix 515E with software 6.3(2)

Relvent config stuff...
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
global (outside) 1 interface
static (DMZ,outside) xxx.xxx.9.42 172.16.0.2 netmask 255.255.255.255

Policy:
-traffic from inside to outside should appear as comming from outside interface
-No connections started from dmz and outside to inside
-inside can connect to dmz

Question 1:

IP traffic works fine..but icmp is giving me problems. I need to be able to ping from the inside to outside and dmz. I add the following for the dmz ...

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.255

and an acl allowing echo-reply from dmz to inside. ping works from inside to dmz. That above command how ever causes the hair on the back of my neck to stand up! Is there a reason I should not be doing that???

Question 2:

If I add...

static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.255

and an acl allowing echo-reply from outside to inside. ping works from inside to outside, but now ip traffic from inside to outside no longer appears as comming from the outside interface. How do I allow echo-reply from the outside and keep ip traffic appering as if comming from the outside interface???

Question 3:

When i use the static command...

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.255

people on the inside can access the server in the dmz using 172.16.0.2 address but not using the xxx.xxx.9.42 address. Can i set the pix up to allow inside users to be able to use either address?

thx for the help,
wallace
 
Sort by date Sort by votes
Question 1:

To allow ping you need to add access list statements for echo replies.. This statements will allow anyone from your inside interface to ping anything on the internet or in your dmz.

access-list INSIDE permit icmp any any
access-list DMZ permit icmp any any echo-reply
access-list OUTSIDE permit icmp any any echo-reply

This should not open you up to any vaunerabilities from the internet or from your dmz.

(also your network masks on your static statements are incorrect. For a 24 bit network you should use a 255.255.255.0 mask)

----------------

Question 2:

You need to remove your "static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.255" entry. Your NAT table translating all outbound traffic coming from your inside interface to the outside to look like your outside interface is fine for this. A static statement will overide any NAT pool statement. The access list statements from question 1 should allow you to ping outside addresses.

--------------

Question 3

You do need the entry "static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.255" to allow access from your inside network to go to your DMZ. For access to the outside address, again your NAT pool should be fine for this. You need to make sure your have your routing set up correctly for your xxx.246.9.60 network. You need to add a route in your internal network to for the xxx.246.9.0 network using 192.168.0.1 (inside interface of your pix). You then need to add an access list for the outbound access.

access-list INSIDE permit tcp host 192.168.0.0 netmask 255.255.255.0 host xxx.xxx.9.42

Again make sure you check all of your network masks, they do not look correct.


 
Upvote 0 Downvote
HI.

> IP traffic works fine..but icmp is giving me problems
That's OK.
The pix inspects TCP + UDP and allows return traffic, but does not do it for ICMP.
So you can add:
access-list fromoutside permit icmp any any echo-reply
access-group fromoutside in interface outside
Or the other option is not to test with PING, but rather use other methods like TELNET to specific ports, or simply HTTP.

> static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.255
This is not good.
You should use this instead:
global (dmz) 1 interface
OR:
global (dmz) 1 172.16.0.???

> people on the inside can access the server in the dmz using 172.16.0.2 address but not using the xxx.xxx.9.42
You can solve this issue in several ways, here are some:

* Configure internal DNS server (the one that your internal clients use), with the 172.16.0.2 address for the web server. Users will use FQDN that will resolve to private address.

* Use the "alias" command.

* Reconfigure the network to use registered public ip addresses in DMZ instead of private addressing, and then you'll have "nat (dmz) 0 0 0".

Here are some additional pix related links:


Yizhar Hurwitz
 
Upvote 0 Downvote
Before answering your questions, I would really take a look as to what the true need is for icmp through the firewall. There's a good reason firewalls disallow ICMP by default!

I will also say that you can ping from your firewall interfaces without adding any special ACLs or static commands. That may be a better alternative to allowing ICMP through the firewall (though I would still recommend turning ICMP off on the outside INT altogether).

Nonetheless, here's your answers:

Question 1) What you did is the only way you could get it to work. This is because an ICMP echo-reply is not ACK traffic, so it will not match any state in the PIX connection table. To go from a lower (DMZ) to a higher (inside) interface, you need to define a static and an access-list, as you have done. Is this a bad thing? Yes, but so is allowing ICMP through your firewall :).

Question 2) Again, since echo-reply's are not ACK traffic, you needed to add the static command and an access-list to go from lower to higher security levels. Statics take precedence over NAT/Globals, so what you did was essentially disable NAT and tell the firewall that all your internal IPs should appear as 192.168.x.x addresses on the outside of your firewall. So, can you allow echo-reply from the outside and keep ip traffic appearing as if comming from the outside interface? No, unfortunately, you can't.

Question 3) Inside users should be able to access it by either address with the following command:
alias(inside) x.x.9.42 172.16.0.2 255.255.255.255

Give that a shot and see what happens.
 
Upvote 0 Downvote
Oops. Yizhar is correct on the access-lsit statments. So, disregard my answers 1 and 2 (as if you already haven't) My apologies...

But I still don't recommend allowing any ICMP through the firewall. It's jsut best security practice not to.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
163
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
49
steve777777
steve777777
dgoradia
  • Locked
  • Question
Second public IP NAT to LAN
Replies
0
Views
37
dgoradia
dgoradia
cisco222
  • Locked
  • Question
ASA and NAT
Replies
0
Views
21
cisco222
cisco222
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
32
RMurr34
RMurr34

Part and Inventory Search

Sponsor

Back
Top