Firewall Wizards mailing list archives
PIX v7: routing without NAT?
From: Vahid Pazirandeh <vpaziran () yahoo com>
Date: Tue, 17 Jan 2006 12:07:26 -0800 (PST)
Hi All, At our co-lo, we have IPs *.65 to *.97 available. I'm trying to setup a mock network before touching the production environment. Our ISP router will be sitting on *.64, and we'd like to use external IPs for all our servers that are behind the PIX. Is this possible? I've run some tests (and mind you I am new to pix), and it seems that the ARP requests are not passing through the pix. I'm also not sure that the network design we're using is going to work as intended. Any thoughts? IP definitions: 192.168.111.73: PIX "outside" interface 192.168.111.65: PIX "inside" interface 192.168.111.66: PC sitting behind the "inside" network 192.168.111.74: PC sitting outside What does the network look like? [192.168.111.74]---[switch1]---[PIX]---[switch2]---[192.168.111.66] What was tested? 1. SUCCESS: ping from PIX to 192.168.111.74 ("outside" PC) 2. SUCCESS: ping from inside PC (192.168.111.66) to the PIX 3. FAILURE: ping from inside PC (192.168.111.66) to the "outside" PC (192.168.111.74) pixfirewall(config)# show ip System IP Addresses: Interface Name IP address Subnet mask Ethernet0 outside 192.168.111.73 255.255.255.248 Ethernet1 inside 192.168.111.65 255.255.255.248 pixfirewall(config)# show cap capout 4 packets captured 1: 23:45:28.568192 192.168.111.73 > 192.168.111.74: icmp: echo request 2: 23:45:28.568574 192.168.111.74 > 192.168.111.73: icmp: echo reply 3: 23:45:53.230121 192.168.111.66 > 192.168.111.74: icmp: echo request 4: 23:46:33.933499 192.168.111.66 > 192.168.111.74: icmp: echo request 4 packets shown pixfirewall(config)# show cap capin 4 packets captured 1: 23:45:47.379786 192.168.111.66 > 192.168.111.65: icmp: echo request 2: 23:45:47.380183 192.168.111.65 > 192.168.111.66: icmp: echo reply 3: 23:45:53.229953 192.168.111.66 > 192.168.111.74: icmp: echo request 4: 23:46:33.933286 192.168.111.66 > 192.168.111.74: icmp: echo request 4 packets shown pixfirewall(config)# pixfirewall(config)# debug arp debug arp enabled at level 1 pixfirewall(config)# arp-in: request at outside from 192.168.111.74 000c.41e6.fcda for 192.168.111.66 0000.0000.0000 arp-set: added arp outside 192.168.111.74 000c.41e6.fcda and updating NPs at 425957510 arp-in: request at outside from 192.168.111.74 000c.41e6.fcda for 192.168.111.66 0000.0000.0000 arp-set: added arp outside 192.168.111.74 000c.41e6.fcda and updating NPs at 425958510 arp-in: request at outside from 192.168.111.74 000c.41e6.fcda for 192.168.111.66 0000.0000.0000 arp-set: added arp outside 192.168.111.74 000c.41e6.fcda and updating NPs at 425959510 pixfirewall(config)# no debug arp debug arp disabled. Was Proxy ARP enabled? Yes. no sysopt noproxyarp inside no sysopt noproxyarp outside pixfirewall(config)# show running-config all sysopt no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt radius ignore-secret no sysopt uauth allow-http-cache sysopt connection permit-ipsec pixfirewall(config)# PIX Version 7.0(4) ! hostname pixfirewall domain-name default.domain.invalid names ! interface Ethernet0 nameif outside security-level 0 ip address 192.168.111.73 255.255.255.248 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.111.65 255.255.255.248 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! access-list outside_access_in extended permit ip any any access-list inside_access_in extended permit ip any any access-list test extended permit icmp 192.168.111.0 255.255.255.0 192.168.111.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 ERROR: Command requires failover license ERROR: Command requires failover license asdm image flash:/pdm no asdm history enable arp timeout 14400 access-group inside_access_in in interface inside access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.111.8 255.255.255.248 inside http 192.168.111.0 255.255.255.0 inside no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 ssh version 2 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! ============================================= "Make it better before you make it faster." ============================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX v7: routing without NAT? Vahid Pazirandeh (Jan 17)
- Re: PIX v7: routing without NAT? Brian Loe (Jan 18)