Ping through PIX, HELP!! 1

[hollandCAT]

Hello everyone,

i start configuring PIX515,and implement ACL for test ping.

my task is
1. ping from outside network PC to outside PIX interface,
2. from inside network PC ping Inside PIX interface,
3. ping from outside PC ping inside network pc.(ping go throught PIX)
after testing, i still can not successful ping from between 2 PCs. who can help???

outside network pc (ip address 200.1.1.15)--> PIX outside interface(200.1.1.1) -->pix inside interface (10.1.1.1)-->local network PC (10.1.1.5)

My configuration is below:
nameif ethernet0 outside security0

nameif ethernet1 inside security100
.....
access-list 101 permit icmp any host 200.1.1.5 echo-reply

access-list 101 permit icmp any host 200.1.1.5 source-quench


access-list 101 permit icmp any host 200.1.1.5 unreachable

access-list 101 permit icmp any host 200.1.1.5 time-exceeded

pager lines 24


interface ethernet0 100full

interface ethernet1 100full

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside 200.1.1.1 255.255.255.224

ip address inside 10.1.1.1 255.255.255.0


global (outside) 1 200.1.1.10

global (outside) 1 200.1.1.35

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

<--- More --->

access-group 101 in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 200.1.1.1 1



Please help!

Joanna

 

[martinp05]

hello!

there are two things:

1) to ping through the pix, you need an acl applied to the interfaces.

2) to ping the pix itself, you need the icmp permit statement. per default you can ping the interfaces of the pix.

an importaint thing is, that the pix does icmp not handle in a stateful way. so you have to enable the way back.
if you want to ping an pc behind the pix (inside-lan), you have to enable it on the acl for the outside-interface. the way back must be enabled on the inside interface (with the acl, if you have it). if you want to ping pcs from an lower sec-level to an higher-sec level, you will need an static-entry (then the translation will be opened in both ways) as well.

an other thing is, that you only can ping the pix-interface which is facing you. for example, from the inside-lan, you only can ping the ip-adress of the inside-interface of the pix. trying to ping an other interface from the inside-lan of the pix will NOT work.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[FWHATER]

Joanna,

Post the full config, so we can see the total setup of your Pix. Your interfaces may not even be set to the correct speeds. Your config should have these statements:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


This should at least get you started. Why do you have 2 nat and global statements ? Nat (inside) 1 10.0.0.0 255.0.0.0 will not work. If your outside ip address is set to 200.1.1.1, then what is global (outside) 1 200.1.1.35 and .10 ? Hope this helps,

FWHater,
------------
CCSA

 

[lgarner]

I don't see how you've translated 200.1.1.5 outside to 10.1.1.5 inside. You need a "static" statement.

The nat & global is ok, but the 2 nat statements don't accomplish anything since "0 0 0 0" is using the same nat group. You could delete the one for 10.0.0.0.

 

[hollandCAT]

hi,
there is the full configuration.
and i had static statement which translate 200.1.1.5 to 10.1.1.5.

thanks all,
joanna

------

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security20
hostname Firewall

clock timezone CET +1
clock summer-time EDT recurring
names
pager lines 24
no logging on

interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full

ip address outside 200.1.1.1 255.255.255.224
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0

arp timeout 14400

global (outside) 1 200.1.1.10-200.1.1.30 netmask 255.255.255.0
global (outside) 1 200.1.1.35 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 10.0.0.0 255.0.0.0

route outside 0.0.0.0 0.0.0.0 200.1.1.1 1

access-list 101 permit icmp any host 200.1.1.5 echo-reply
access-list 101 permit icmp any host 200.1.1.5 source-quench
access-list 101 permit icmp any host 200.1.1.5 unreachable
access-list 101 permit icmp any host 200.1.1.5 time-exceeded
access-group 101 in interface outside

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public

static (inside,outside) 200.1.1.5 10.1.1.5 netmask 255.255.255.255
access-list 101 permit icmp any host 200.1.1.5 echo
access-group 101 in interface outside

 

[hollandCAT]

Hello, martinp05

is there misconfiguration in my file?
or i need to implement more ACL statement?

Joanna

 

[lgarner]

Your default route is pointing to the Pix itself (200.1.1.1). It should specify the ISP's router as the next hop.

There is an issue with the second "global" statement, after all. It's outside of your publid IP range of .1-.31

 

[hollandCAT]

hi,

the second statements .35 (global (outside) 1 200.1.1.35 netmask 255.255.255.0 ) is out of range 1-30, because i want .35 used for mapping as well. is that a problem?

i will try it again,
thanks


Joanna

 

[lgarner]

The subnet masks should all agree. Your netmask on the "ip address outside" statement is 255.255.255.224, on the global statements it's 255.255.255.0.

If you actually have the full /24 available, you could receive packets addressed to 200.1.1.35, but I don't know what the Pix would do with it. I believe that it would be dropped.