1. Home
  2. Cisco Systems
  3. PIX to PIX: new subnet cannot ping to other side

PIX to PIX: new subnet cannot ping to other side

Hi Guys,

formatting link
I have 2 PIX's inplace. One end is a 192.168.1.x and 192.168.2.x network, the other end is a 192.168.3.x network.

Ping/Acess to/from both sides is ok.

Now I've installed an ISA2004 on the 192.168.1.x network. This server has a NIC with a 192.168.4.0 network. From this network I am unable to ping the 192.168.3.0 network. I think the problem is in the PIX setup, but I am pretty sure I created the correct access lists, allowed ICMP, etc.

Logging on the pix shows ICMP request, but no replies.

The ISA2004 server allows traffic, and the log file doesn't show any denied connections, so traffic is flowing freely.

I am baffled about this, and not sure what to do next.

Is there anyone with suggestions how to troubleshoot this issue ? I inserted a link with a pic to make things a bit more clear.

I will be forever grateful :))

Reply to
RLM
Loading thread data ...

Even if you lost all the links in your picture, I can tell you you need to specify on both the interface which ICMP traffic is permitted. So don't treat ICP like udp or TCP, thinking to specified rules only on one side.

HTH

Alex.

Reply to
AM

specify on both the interface which ICMP

specified rules only on one side.

Hi Alex,

I have enabled ICMP on both interfaces:

icmp permit any outside icmp permit any inside

I don't see any denied errors when I debug the PIX.

Thanks for the suggestion though. Any other things I could check ?

-
Reply to
RLM

Please update the picture with the correct links. It's quite hard to understand your network only by seeing its elements without knowing how their are connected. Moreover I suggest to have a look to the syslog server to see if you can find interesting messages like "no route to host" or something like that.

Aelx

Reply to
AM

understand your network only by seeing its elements

interesting messages like "no route to

formatting link
I've updated the diagram. Pinging from 192.168.3.2 to 192.168.4.1 doesn't work. It seems the ping stops directly at the 501 pix. In the debug I can see a request for ping, but on the 506 it never arrives.

Thanks, Dick

Reply to
RLM

I noticed the public IPs on your DSL connections, yet no mention of VPNs. Since private addresses aren't routed over the internet your ISP must be doing something to the traffic, VPN, or addresses, NAT, either way they might have their own rules in place that are preventing the traffic. Or maybe you are doing the VPN with the PIX, in which case you should post the config, it might just be a matter of adding a permit for the 192.168.4.x traffic for the VPN tunnel.

Reply to
RC

Hi RC,

The PIX is setting up the VPN, so here a the 2 configs of both devices: (I deleted some irrelevant info, such as pdm location, etc)

Thanks !

501 config

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pixbest-nl domain-name ourdomain.nl no names name 192.168.3.0 re name 192.168.1.0 Nederland name 192.168.2.0 Plant name 192.168.1.17 mitu1 name 192.168.1.25 exchmitnl name 212.238.249.0 DemonNET name 192.168.2.16 mituplant1 name 192.168.1.106 AdminPC name 192.168.3.251 switch name 192.168.3.2 mitubest1 name 192.168.3.240 IT_Laptop1 name 192.168.4.25 mail name 192.168.4.0 DMZ object-group service test udp port-object range 4500 4500 object-group network IT_Laptops network-object 192.168.3.240 255.255.255.255 object-group service IT tcp port-object eq www port-object eq ssh port-object eq https port-object eq ftp port-object eq nntp access-list inside_access_in permit tcp 192.168.3.0 255.255.255.0

192.168.4.0 255.255.255.0 access-list inside_access_in permit udp 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_access_in permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_access_in permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_access_in permit tcp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in permit tcp 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_access_in permit udp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in permit udp 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_access_in permit tcp host 192.168.3.2 host 192.168.1.25 eq smtp access-list inside_access_in permit tcp object-group IT_Laptops any object-group IT access-list inside_access_in permit icmp any any access-list inside_access_in deny ip any any access-list outside_access_in remark access-list outside_access_in permit icmp any any access-list outside_access_in permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit udp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit udp 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit udp 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit tcp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in permit tcp 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_access_in deny ip any any access-list inside_nat0_outbound permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list outside_cryptomap_30 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_cryptomap_30 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 10.250.1.1 255.255.255.240 ip address inside 192.168.3.254 255.255.255.0 ip audit name inside_attack attack action alarm ip audit name outside_info info action alarm ip audit name outside_attack attack action alarm reset ip audit name inside_info info action alarm ip audit interface outside outside_info ip audit interface outside outside_attack ip audit interface inside inside_info ip audit interface inside inside_attack ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 212.238.249.2 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authorization command LOCAL floodguard enable crypto ipsec transform-set pix_501-VPN esp-aes-192 esp-md5-hmac crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address outside_cryptomap_30 crypto map outside_map 30 set pfs group2 crypto map outside_map 30 set peer 82.161.13.162 crypto map outside_map 30 set transform-set pix_501-VPN crypto map outside_map 30 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map outside_map client authentication LOCAL crypto map outside_map interface outside management-access outside console timeout 0 vpdn enable outside terminal width 80 : end

506 config

X Version 6.3(1) interface ethernet0 auto interface ethernet1 10full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname PIX-NL domain-name ourdomain.nl names name 10.49.43.2 MITDEVT name 10.49.40.1 Server1 name 62.225.102.178 RemoteAdmin name 10.49.40.0 ness name 192.168.1.25 ProxyServer name 192.168.1.17 Mitu1 name 62.225.102.180 RemotePDM name 82.161.13.160 DemonNET name 192.168.1.16 MITNL name 192.168.1.0 Nederland name 192.168.10.0 Belgie name 192.168.10.5 Server name 192.168.100.1 mi-Server name 192.168.100.0 Japan name 192.168.2.0 Plant name 192.168.3.0 re_bst name 10.250.2.0 pool name 192.168.1.18 sqlmitnl name 192.168.3.2 mitubst1 name 192.168.2.16 mituplant1 name 10.49.43.0 AS400_Subnet name 10.250.1.1 GateWay name 192.168.1.15 samserver name 192.168.5.0 testpool name 192.168.1.240 IT_Laptop1 name 192.168.1.241 IT_Laptop2 name 192.168.4.0 DMZ name 192.168.4.25 mail object-group service IT tcp port-object eq ssh port-object eq nntp port-object eq ftp port-object eq www port-object eq https object-group service Proxy_TCP tcp description General TCP services for proxy server port-object eq www port-object eq pop3 port-object eq ftp port-object eq https port-object eq smtp port-object eq nntp port-object range 8801 8801 object-group service Proxy_UDP udp description General UDP services for proxy server port-object eq domain port-object eq ntp object-group service Streaming tcp description Streaming Protocols port-object range 1755 1755 port-object range 554 554 object-group service Streaming_UDP udp port-object range 1755 1755 port-object range 5005 5005 port-object range 2460 2460 port-object range 5004 5004 object-group service ADP tcp description FInancial Program port-object range 5758 5758 port-object range 5756 5756 object-group network Networks_Vdaal description Networks Sales and Plant network-object Nederland 255.255.255.0 network-object Plant 255.255.255.0 object-group network IT_Laptops network-object IT_Laptop1 255.255.255.255 network-object IT_Laptop2 255.255.255.255 access-list compiled access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0 ness 255.255.248.0 access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0 Belgie 255.255.255.0 access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0 Japan 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any pool 255.255.255.128 access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0 Japan

255.255.255.0 access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0 Belgie 255.255.255.0 access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0 re_bst 255.255.255.0 access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0 re_bst 255.255.255.0 access-list inside_outbound_nat0_acl permit ip DMZ 255.255.255.0 re_bst 255.255.255.0 access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0 AS400_Subnet 255.255.255.0 access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0 ness 255.255.248.0 access-list outside_cryptomap_20 permit ip Nederland 255.255.255.0 ness 255.255.248.0 access-list outside_cryptomap_20 permit ip Nederland 255.255.255.0 Japan 255.255.255.0 access-list outside_cryptomap_20 permit ip Plant 255.255.255.0 ness 255.255.248.0 access-list outside_cryptomap_20 permit ip Plant 255.255.255.0 Japan 255.255.255.0 access-list outside_inbound_nat0_acl permit ip ness 255.255.248.0 Nederland 255.255.255.0 access-list outside_inbound_nat0_acl permit ip ness 255.255.248.0 Plant 255.255.255.0 access-list outside_inbound_nat0_acl permit ip Belgie 255.255.255.0 Nederland 255.255.255.0 access-list outside_inbound_nat0_acl permit ip Belgie 255.255.255.0 Plant 255.255.255.0 access-list outside_access_in deny tcp host RemoteAdmin interface outside eq telnet access-list outside_access_in permit ip any interface outside access-list outside_access_in permit tcp any host 82.161.13.162 eq smtp access-list outside_access_in permit icmp any any access-list outside_access_in permit ip host mitubst1 object-group Networks_Vdaal access-list outside_access_in permit ip host mitubst1 DMZ 255.255.255.0 access-list outside_access_in permit ip ness 255.255.248.0 Plant 255.255.255.0 access-list outside_access_in permit tcp host mitubst1 object-group Networks_Vdaal access-list outside_access_in permit udp host mitubst1 object-group Networks_Vdaal access-list outside_access_in deny ip any any access-list inside_access_in permit tcp DMZ 255.255.255.0 re_bst 255.255.255.0 access-list inside_access_in permit udp DMZ 255.255.255.0 re_bst 255.255.255.0 access-list inside_access_in permit icmp DMZ 255.255.255.0 re_bst 255.255.255.0 access-list inside_access_in permit ip DMZ 255.255.255.0 re_bst 255.255.255.0 access-list inside_access_in permit ip object-group Networks_Vdaal ness 255.255.248.0 access-list inside_access_in permit ip Nederland 255.255.255.0 Belgie 255.255.255.0 access-list inside_access_in permit ip object-group Networks_Vdaal re_bst 255.255.255.0 access-list inside_access_in permit tcp object-group Networks_Vdaal re_bst 255.255.255.0 access-list inside_access_in permit udp object-group Networks_Vdaal re_bst 255.255.255.0 access-list inside_access_in permit tcp Nederland 255.255.255.0 Japan 255.255.255.0 eq www access-list inside_access_in permit tcp Nederland 255.255.255.0 Japan 255.255.255.0 object-group Streaming access-list inside_access_in permit udp Nederland 255.255.255.0 Japan 255.255.255.0 object-group Streaming_UDP access-list inside_access_in permit tcp Plant 255.255.255.0 Japan 255.255.255.0 eq www access-list inside_access_in permit tcp host ProxyServer any object-group Proxy_TCP access-list inside_access_in permit udp host ProxyServer any object-group Proxy_UDP access-list inside_access_in permit tcp object-group IT_Laptops any object-group IT access-list inside_access_in permit udp host Mitu1 any eq ntp access-list inside_access_in permit udp host Mitu1 any eq domain access-list inside_access_in permit icmp any any access-list inside_access_in permit tcp Nederland 255.255.255.0 any object-group ADP access-list inside_access_in permit tcp any any eq telnet access-list inside_access_in deny ip any any access-list outside_cryptomap_30 permit ip Nederland 255.255.255.0 Belgie 255.255.255.0 access-list outside_cryptomap_30 permit ip Plant 255.255.255.0 Belgie 255.255.255.0 access-list outside_cryptomap_40 permit ip Nederland 255.255.255.0 re_bst 255.255.255.0 access-list outside_cryptomap_40 permit ip Plant 255.255.255.0 re_bst 255.255.255.0 access-list outside_cryptomap_40 permit ip DMZ 255.255.255.0 re_bst 255.255.255.0 access-list outside_cryptomap_10 permit ip Nederland 255.255.255.0 AS400_Subnet 255.255.255.0 access-list outside_cryptomap_10 permit ip Plant 255.255.255.0 AS400_Subnet 255.255.255.0 pager lines 24 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 82.161.13.162 255.255.255.240 ip address inside 10.250.1.254 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name outside_attack attack action alarm drop reset ip audit name inside_attack attack action alarm ip audit name inside_info info action alarm ip audit name outside_info info action alarm ip audit interface outside outside_info ip audit interface outside outside_attack ip audit interface inside inside_info ip audit interface inside inside_attack ip audit info action alarm ip audit attack action alarm ip local pool HomeOffice 10.250.2.11-10.250.2.99 arp timeout 14400 global (outside) 1 interface nat (outside) 0 access-list outside_inbound_nat0_acl outside nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface telnet 10.250.3.1 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp ProxyServer smtp netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 82.161.13.161 1 route inside Nederland 255.255.255.0 GateWay 1 route inside Plant 255.255.255.0 GateWay 1 route inside DMZ 255.255.255.0 GateWay 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authorization command LOCAL floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set pix_506-VPN esp-aes-192 esp-md5-hmac crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map pix_506Map 10 ipsec-isakmp crypto map pix_506Map 10 match address outside_cryptomap_10 crypto map pix_506Map 10 set pfs group2 crypto map pix_506Map 10 set peer 80.146.171.220 crypto map pix_506Map 10 set transform-set pix_506-VPN crypto map pix_506Map 10 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map pix_506Map 20 ipsec-isakmp crypto map pix_506Map 20 match address outside_cryptomap_20 crypto map pix_506Map 20 set pfs group2 crypto map pix_506Map 20 set peer 62.225.102.177 crypto map pix_506Map 20 set transform-set pix_506-VPN crypto map pix_506Map 20 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map pix_506Map 30 ipsec-isakmp crypto map pix_506Map 30 match address outside_cryptomap_30 crypto map pix_506Map 30 set pfs group2 crypto map pix_506Map 30 set peer 217.136.233.232 crypto map pix_506Map 30 set transform-set pix_506-VPN crypto map pix_506Map 30 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map pix_506Map 40 ipsec-isakmp crypto map pix_506Map 40 match address outside_cryptomap_40 crypto map pix_506Map 40 set pfs group2 crypto map pix_506Map 40 set peer 212.238.249.2 crypto map pix_506Map 40 set transform-set pix_506-VPN crypto map pix_506Map 40 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map pix_506Map 50 ipsec-isakmp dynamic dynmap crypto map pix_506Map client authentication LOCAL crypto map pix_506Map interface outside management-access inside console timeout 0 terminal width 80 :end
Reply to
RLM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.