pix routing...

[FredUG]

I cant seem to get this PIX-506e to route...
From the 2600 router I can ping the internet, the inside interface of the router and the outside interface of the PIX.
From the PIX I can 'ping outside <router ip>' or 'ping inside <internal IP's>' but I can't 'ping inside <ouside IP>' nor 'ping outside <internal IP>'.

net
|
|
<routable-outside>2600<routable.1/27 255.255.255.224>--<<routable.2/27 255.255.255.224>pix<10.1.1.1/16>--switch==LAN

Here's the important parts of my config:
!
PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit tcp any host <routable>.15 eq ident
access-group outside_access_in in interface outside
ip address outside <routable>.2 255.255.255.224
ip address inside 10.1.1.1 255.255.0.0
global (outside) 1 <routable>.21-<routable>.30 netmask 255.255.255.224
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
route outside 0.0.0.0 0.0.0.0 <routable>.1 1

WTF am I forgetting?

TIA,

FredUG

 

[Robroy2003]

The Pix by default will not pass icmp requests. If you add:

access-list 101 permit icmp any any
access-group 101 in interface outside

This will allow icmp requests. Then you can see where your pings are going.

Mark Spencer

 

[FredUG]

Actually I'm using:
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any time-exceeded

but I still cant ping the outside int from the inside or vice-versa

 

[yizhar]

HI.

Unlike routers, the pix by design will not allow you to ping its own interface from the &quot;other&quot; side.
So you can ping the inside interface only from a host on the inside, and same for outside.

> global (outside) 1 <routable>.21-<routable>.30 netmask 255.255.255.224
It is better to use PAT on a single IP, and reserve the other routeable addresses for special needs:

no global (outside) 1 <routable>.21-<routable>.30 netmask 255.255.255.224

global (outside) 1 <routable>.21

clear xlate

> interface ethernet1 10full
Why 10full? Don't you have a 10/100 switch on the LAN?

> interface ethernet0 10full
Is the router configurred for same speed and duplex?

Other then the above comments, the configuration seems fine and will probably let you access the Internet.
But you should test with TCP (telnet, http, ftp, mail, etc..) before ICMP .
And you should start using syslog messages - then you'll have better dialog with your pix.



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[FredUG]

> Unlike routers, the pix by design will not allow you to ping its own interface from the &quot;other&quot; side. So you can ping the inside interface only from a host on the inside, and same for outside.

Ahhh, that explains ping tests failing but nothing passes throughthe pix with the current running-config.

> It is better to use PAT on a single IP, and reserve the other routeable addresses for special needs:

According to Cisco, PAT isn't always the right choice:

http://www.cisco.com/warp/public/110/single-net.shtml

&quot;Note: PAT does not work with most H.323 multimedia applications and caching nameservers. Some multimedia applications can conflict with port mappings provided by PAT. PAT does not work with the established command. PAT works with DNS, FTP and passive FTP, HTTP, email, RPC, rshell, Telnet, URL filtering, and outbound traceroute.&quot;

> Why 10full? Don't you have a 10/100 switch on the LAN?
Yep, we sure do but we don't have a 10M pipe to the internet so it shouldn't matter. The hosts still enjoy 100M.

> Is the router configurred for same speed and duplex?
The router can ping the outside of the pix but the pix can only ping the router from the outside interface. Nothing on the inside is passing through the pix, not http, mail nor icmp. Also, the static NAT maps aren't passing outside-in.


>Other then the above comments, the configuration seems fine and will probably let you access the Internet.
But you should test with TCP (telnet, http, ftp, mail, etc..) before ICMP. And you should start using syslog messages - then you'll have better dialog with your pix.

Last time I tested nothing passed, I'll try again tonight and we'll see.

TIA,

FredUG

 

[baddos]

Just to defend PAT here for a minute....

Most all firewalls implement NAT/PAT. As a result of this, most all people's programs have been upgraded to handle NAT/PAT implementions. If you think about it, most people's DSL home routers only run in NAT/PAT.

I think you'd be hard pressed to find a reasonably current program that won't work over PAT.

I would do PAT from the beginning, and only use a NAT 1-1 if problems occured with a major application.

 

[FredUG]

I have to agree that most home broadband routers must be using PAT and that most apps should be ok but that still doesnt change what Cisco explains as a potential problem with H.323 apps or caching name servers. That said, I've not heard of any specific examples of these things not working. Regardless of NAT vs. PAT debate, my config still isn't working and I *doubt* it's due to the NAT/PAT lines or is that exactly the problem? I just noticed that I'm missing the 'clear xlate' command in my config so maybe that's the problem. I appreciate everyone's advice, I'd really like to resolve this issue.

FredUG