routing config problem, cant ping, need help 1

[DanInRaleigh]

...This is my first posting ever!!!! ..i really like these forums from tek-tips..seems to be loaded with good info...
..i hope someone can help me and someone else can learn from my lack of experience...

i am trying to set up a vpn tunnel through a couple of devices on my home lab...but i can't even ping between them

network goes like this

comcast
|
Public ip address e0
Windows 2003 Server with RRAS running
Private internal ip address e1 (192.168.1.1) with rip ver 2 going
|
192.168.1.2/24 e0
3600 router with rip out both interfaces
10.0.0.1/8 e1
|
10.0.0.2/8 (outside interface) rip ver 2 going out
Pix 501




From windows server (I have to disable e0 or my pings are obviously going to internet) when e0 disabled I can ping 192.168.1.2 and 10.0.0.1

From windows why cant I ping 10.0.0.2 on the pix?


From the 3600 I can ping all interfaces

From the pix I can only ping the direct connected 10.0.0.1 and can’t even ping 192.168.1.2. (thought with rip running I could)

I changed ip address around between windows 2003 server and 3600 to see if I could keep the pings from going out to internet.. (192.168.1.2 on windows and 192.168.1.1 on 3600)…but this didn’t allow the ping to go in the right direction.

So recap..

Why cant I ping from pix to 192.168.1.2?

And why cant I ping from windows to 10.0.0.2 {pix} (the 3600 pings pix no problem)?

Below is pix config xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

PIX Version 6.3(1)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password QBttglyrUypjyOk2 encrypted
passwd QBttglyrUypjyOk2 encrypted
hostname pix
domain-name goiania.us
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.0.0.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
rip outside default version 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.2 pixfirewall/config/test_config
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.32 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username daniel password kk/FO.l8EUv46pSq encrypted privilege 2
username Daniel1 password Oxiu5kmZ4UJA/ir0 encrypted privilege 2
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

xxxxxxxxxxxxxxxxx below is 3600 config xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

3600#show run
Building configuration...

Current configuration : 1631 bytes
!
version 12.1
service single-slot-reload-enable
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 3600
!
!
!
!
!
!
no ip subnet-zero
no ip source-route
no ip domain-lookup
!
ip dhcp-server 192.168.1.1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
ip address 10.0.0.1 255.0.0.0
full-duplex
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Ethernet1/0
ip address 192.168.50.2 255.255.255.0

router rip
version 2
network 10.0.0.0
network 172.168.0.0
network 192.168.1.0
!
ip classless
ip http server
!
!
line con 0
exec-timeout 0 0
password Daniel1
login
line aux 0
line vty 0 4
password Daniel1
login
!
end

 

[lgarner]

As I recall, the Pix normally allows ICMP between itself and devices on the connected networks. If you want to allow it from other networks, you need to allow it:

icmp permit 192.168.1.0 255.255.255.0 echo outside

If you want to ping out from the Pix, you need to allow the replies:

icmp permit 192.168.1.0 255.255.255.0 echo-reply outside

Remember that ICMP is different than other protocols. A reply isn't part of an established connection, so the default Pix behaviour of allowing inbound replies to outbound requests doesn't apply.

 

[DanInRaleigh]

Thanx Igarner for the reply..
..i have played around with many configs..(including yours and other similars....
...cant get the damn pix to return back a reply from anything other than direct connected...
...debug icmp trace on pix shows it is seeing the protocol...
...something in the config..will keep trying..

not sure if i need to straight up add an acl...

thanx again dan

 

[gn182]

on the pix add
access-list Outside permit icmp any any
then apply the access-list to the outside interface
access-group Outside in interface outside

 

[DanInRaleigh]

Thanx for the reply…

…I added the acl list as recommended…still a “no go”
..below is the latest config of pix..


PIX Version 6.3(1)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside securit
nameif ethernet1 inside security
enable password QBttglyrUypjyOk2
passwd QBttglyrUypjyOk2 encrypte
hostname pix
domain-name goiania.us
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-171
fixup protocol http 80
fixup protocol icmp error
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
***access-list ping_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.0.0.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
***access-group ping_outside in interface outside
rip outside default version 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.2 pixfirewall/config/test_config
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.32 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username daniel password kk/FO.l8EUv46pSq encrypted privilege 2
username Daniel1 password Oxiu5kmZ4UJA/ir0 encrypted privilege 2
terminal width 80
Cryptochecksum:b95ac9db5055990f44384f31e2fab7c2
: end

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
…I used the access list still no ping reply!
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


My lab topology below….

Windows<--> (e1)3600(e0)<-->(e0)pix

When pix pings 3600’s (e0) ..ping reply
When pix pings 3600’s (e1) ..no reply!

When windows pings 3600’s (e0),(e1)..reply
When windows pings pix (e0)..no reply..

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
…the below is the debug icmp trace output when I ping’d from the windows box to pix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pix(config)# 275: ICMP type 240 (code 47) 192.168.1.1 > 10.0.0.2
276: ICMP echo reply (len 32 id 3 seq 4352) 10.0.0.2 > 192.168.1.1
277: ICMP type 240 (code 47) 192.168.1.1 > 10.0.0.2
278: ICMP echo reply (len 32 id 3 seq 4608) 10.0.0.2 > 192.168.1.1
279: ICMP type 240 (code 47) 192.168.1.1 > 10.0.0.2
280: ICMP echo reply (len 32 id 3 seq 4864) 10.0.0.2 > 192.168.1.1
281: ICMP type 240 (code 47) 192.168.1.1 > 10.0.0.2
282: ICMP echo reply (len 32 id 3 seq 5120) 10.0.0.2 > 192.168.1.1
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
..so I know the pix is seeing the protocol…why doesn’t pix let the windows box see the reply, or when i ping from pix to 3600 (e1) why pix doesnt get icmp reply???

…thanx for any help or suggestions..

 

[chicocouk]

Add a static route on the pix saying 192.168.1.0/24 is via 10.0.0.1, then try it. If that works, then RIP isn't working as it should.

eg

route outside 192.168.1.0 255.255.255.0 10.0.0.1

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[DanInRaleigh]

YOu are the man!@!!!
It works!!!!!!
...good job chicocouk!!!!

i would have never guessed....
....i need to figure out what is going on with rip...
will have to do some debugging? maybe that will shed some light....



trying to get my CCSP
have MCSE,CCNA,A+,NET+,SECURITY+

 

[chicocouk]

Glad to help mate

I *think* the problem is your rip statement in the pix, which is

rip outside default version 2

That broadcasts a default route on the outside interface. What you actually want it to do though is to listen for rip updates, which i *think* you do by entering

rip outside passive version 2

But i'll admit I don't play with rip on the pix very often, which is why I didn't just suggest that from the start. Give it a go though, see if that sorts it

Good luck with the CCSP, if you know cisco's take on ipsec inside out you'll get loads of similar questions on the pix, secur and vpn concentrator exams, so really know it and you're about quarter of the way there on 3 of the 5 exams. Got my checkpoint CCSA exam tomorrow, should really be studying that instead of being here ... ooops

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[DanInRaleigh]

...good luck on your checkpoint exam...

....do you get hands-on checkpoint config? (i guess what i'm trying to say is do you have a checkpoint box?).

i took a checkpoint class..downloaded the checkpoint simulator (works off of windows box)...and configured some..(not the real thing, gives you a feel)...that checkpoint was a little monster...

...thanx bout the rip config..i will throw that in..take the route config out...and see what happens...

and also thanx about the advice with ipsec...thats what i'm trying to do now is set up ipsec between windows box and pix...but through a network (pretened like the vpn/ipsec will be going through public network)

also good luck finishing your ccsp..

thanx again dan


trying to get my CCSP
have MCSE,CCNA,A+,NET+,SECURITY+

 

[chicocouk]

Recently changed jobs and now work for a managed security company, our main speciality is checkpoint, but i was hired because of my cisco skills. So I've got to learn fast, because almost everything I do on a day to day is checkpoint or nokia based now. It's definitely a different ball game from the pix, not sure which i prefer. C/point is friendlier on first impression, nicer gui, more features (vpn routing, http filtering, filtering of p2p over http, clustering etc), but (especially on nokia boxes) seems to fall over more often ... that might not be fair, but it's my impression.

Pix is a more dedicated beast, purpose built device, hardly any o/s to worry about, and seems more resilient. Does what it says on the tin. I know the pix much better than c/point, so I kinda favour them at the moment. I feel happier troubleshooting them and know the usual quirks and how to sort them (well, some of them).

They're a bit apples and oranges really ...

Ccsp? Got safe and ids exam to do, not seen a cisco ids box since the course about six months ago when the exam was in beta and no'one knew how to pass it. Not looking forward to that exam ...

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[DanInRaleigh]

...hey removed the static route..
...put in passive rip...
...still able to ping....
..so good thinking....
..thanx alot
..dan

trying to get my CCSP
have MCSE,CCNA,A+,NET+,SECURITY+

 

[DanInRaleigh]

chicocouk,

got a question..
...i am a hands on person..... and i didnt realize that cisco makes a cisco ids box specifically for ids...

pretty dag expensive...(couple thousand)

i am seeing different cisco ios's offering ids (on ebay).. example below

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=51202&item=5708553881&rd=1

if what you are saying is that the ids part of ccsp will be hard...(and even if it wasnt i still wont to know what the heck is going on)...then i will definately have to experience the real thing...

..my question is..i wonder if these router boxes they are offering on ebay with ids have the same functionality as something like Cisco IDS-4235 sensor..or are they not one in the same..


any info will be much appreciated before i hall off and by something like the above link...


trying to get my CCSP
have MCSE,CCNA,A+,NET+,SECURITY+

 

[chicocouk]

Should be leaving now for this exam, just checked my mail quickly, so i'll be brief, maybe post more info later. That box won't help with the ids course at all, but it may well help with the Secur exam, as it's effectively the firewall feature set. Like the pix, you can get a mini ids on the routers feature set, but the dedicated sensors are much more powerful.

Problem with the ids exam is that older cisco ids sensors ran on a dedicated hardened unix device. Due to licencing etc cisco recently moved them onto to a hardened linux device instead, so they're effectively completely different, so all the books, earlier bosons exams etc were no longer relevant, hence the exam went into beta while cisco tried to figure out what they could justifiably ask people about these boxes that nobody buys and gets to play with because they're too expensive ...

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP