PING to inside address goes thru translation and timesout

- W
- wbevan
  
  Contact options for registered users
posted
18 years ago

Mon, Aug 22, 2005 5:44 PM

Hi,

I have just installed a PIX 501 and I'm having an odd issue with PING that results in lost traffic. I am a newbie at PIX configuration so it could be a screw up on my part... ;-)

My set up is as follows

PIX 501, outside has one public IP address and performs translations for 2 others

The two inside servers have an address of 10.0.0.51 and 10.0.0.52 respectively. Outside connectivity to these machines via the translation works flawlessly with no packet loss etc..

However when I try and ping these two machines from within my inside network from another device, I receive soemthing like this

Pinging 10.0.0.52 with 32 bytes of data:

Reply from 10.0.0.52: bytes=32 time=2ms TTL=64 Request timed out. Reply from 10.0.0.52: bytes=32 time=1ms TTL=64 Reply from 10.0.0.52: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.0.52: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 2ms, Average = 1ms

With ICMP tracing turned on I noticed the following within the pix

2907: ICMP echo-request from inside:10.0.2.1 to INSIDE_DQ ID=512 seq=42753 length=40 2908: ICMP echo-request: translating inside:10.0.2.1/512 to outside:X.X.X.X/60 2909: ICMP echo-request: untranslating inside:INSIDE_DQ to outside:OUTIP 2910: ICMP echo-request from inside:10.0.2.1 to INSIDE_DQ ID=512 seq=43777 length=40 2911: ICMP echo-request: translating inside:10.0.2.1/512 to outside:X.X.X.X/61 2912: ICMP echo-request: untranslating inside:INSIDE_DQ to outside:OUTIP

Which surprises me that the ICMP echo request is actually getting translated to the outside IP address. I can ping other machines on the inside network with out issue, its just the two machines that have a translation defined for them that have an issue. Also if I add another non translated IP address to the machines they also do not have an issue.

Any ideas on what could be going on in this situation, to cause the translation for the ICMP packets to kick in ?

Thanks

Wayne

- A
- Anthrax
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Aug 22, 2005 9:23 PM

Walter,

I'm not a pix expert, but isn't that problem overcome > > :I have just installed a PIX 501 and I'm having an odd issue with PING

- A
- Anthrax
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Aug 22, 2005 9:24 PM

Walter,

I'm not a security expert, but isn't that problem overcome > > :I have just installed a PIX 501 and I'm having an odd issue with PING

- A
- Anthrax
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Aug 22, 2005 11:39 PM

Yes you are right Walter is not supported for 501.

formatting link

Platforms Supported

? Cisco PIX 515 Security Appliance

? Cisco PIX 515E Security Appliance

? Cisco PIX 525 Security Appliance

? Cisco PIX 535 Security Appliance

and yes in can only route when coming from a vpn...

formatting link

"PIX version 7.0 improves support for spoke-to-spoke VPN communications as it provides the ability for encrypted traffic to enter and leave the same interface.

The same-security-traffic command permits traffic to enter and exit the same interface when you use it with the intra-interface keyword which enables spoke-to-spoke VPN support."

formatting link

"Permitting Intra-Interface Traffic

The security appliance includes a feature that lets users on the same subnet send IPSec-protected traffic to each other. It does so by allowing such traffic in and out of the same interface. This is called hairpinning."

formatting link

"Enhanced Spoke-to-Spoke VPN Support

Version 7.0(1) improves support for spoke-to-spoke (and client-to-client) VPN communications, by providing the ability for encrypted traffic to enter and leave the same interface."

Regarding the top post issue, nobody before had tell me anything so i found it interesting and dig in for more information.

formatting link

So thanks for letting me know that I'm not doing it right, we always can improve. Cheers!

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, Aug 23, 2005 2:13 AM

In article , snipped-for-privacy@acm.org wrote: :I have just installed a PIX 501 and I'm having an odd issue with PING :that results in :lost traffic.

:PIX 501, outside has one public IP address and performs translations :for 2 others

:The two inside servers have an address of 10.0.0.51 and 10.0.0.52 :respectively. Outside :connectivity to these machines via the translation works flawlessly :with no packet loss etc..

:However when I try and ping these two machines from within my inside :network from another device, :I receive soemthing like this

:Pinging 10.0.0.52 with 32 bytes of data:

:2907: ICMP echo-request from inside:10.0.2.1 to INSIDE_DQ ID=512 :seq=42753 length=40

The PIX will not operate as a router for packets on the same interface -- it will not send 10.0.2.1's packets back out the inside interface to 10.0.0.52 . If you have multiple internal subnets, you should have an internal router which is the gateway for all the internal traffic.

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, Aug 23, 2005 3:48 AM

In article , Anthrax top-posted:

[Please don't top-post!]

:> The PIX will not operate as a router for packets on the same :> interface -- it will not send 10.0.2.1's packets back out the :> inside interface to 10.0.0.52 .

: I'm not a security expert, but isn't that problem overcome in version 7?

Notice this part:

:> In article , : snipped-for-privacy@acm.org wrote: : :I have just installed a PIX 501

PIX 7.0 is not supported on the PIX 501.

Also, one person posted that the same-interface routing was only supported when VPNs were involved. I have not investigated PIX 7.0 to see.