Firewall Wizards mailing list archives

PIX v7: routing without NAT?

From: Vahid Pazirandeh <vpaziran () yahoo com>
Date: Tue, 17 Jan 2006 12:07:26 -0800 (PST)
Hi All,

At our co-lo, we have IPs *.65 to *.97 available.  I'm trying to setup a mock
network before touching the production environment.

Our ISP router will be sitting on *.64, and we'd like to  use external IPs for
all our servers that are behind the PIX.  Is this possible?

I've run some tests (and mind you I am new to pix), and it seems that the ARP
requests are not passing through the pix.  I'm also not sure that the network
design we're using is going to work as intended.  Any thoughts?


IP definitions:

192.168.111.73: PIX "outside" interface
192.168.111.65: PIX "inside" interface
192.168.111.66: PC sitting behind the "inside" network
192.168.111.74: PC sitting outside

What does the network look like?
[192.168.111.74]---[switch1]---[PIX]---[switch2]---[192.168.111.66]


What was tested?
1. SUCCESS: ping from PIX to 192.168.111.74 ("outside" PC)
2. SUCCESS: ping from inside PC (192.168.111.66) to the PIX
3. FAILURE: ping from inside PC (192.168.111.66) to the "outside" PC
(192.168.111.74)


pixfirewall(config)# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask
Ethernet0                outside                192.168.111.73  255.255.255.248
Ethernet1                inside                 192.168.111.65  255.255.255.248



pixfirewall(config)# show cap capout
4 packets captured
   1: 23:45:28.568192 192.168.111.73 > 192.168.111.74: icmp: echo request
   2: 23:45:28.568574 192.168.111.74 > 192.168.111.73: icmp: echo reply
   3: 23:45:53.230121 192.168.111.66 > 192.168.111.74: icmp: echo request
   4: 23:46:33.933499 192.168.111.66 > 192.168.111.74: icmp: echo request
4 packets shown
pixfirewall(config)# show cap capin
4 packets captured
   1: 23:45:47.379786 192.168.111.66 > 192.168.111.65: icmp: echo request
   2: 23:45:47.380183 192.168.111.65 > 192.168.111.66: icmp: echo reply
   3: 23:45:53.229953 192.168.111.66 > 192.168.111.74: icmp: echo request
   4: 23:46:33.933286 192.168.111.66 > 192.168.111.74: icmp: echo request
4 packets shown
pixfirewall(config)#




pixfirewall(config)# debug arp
debug arp  enabled at level 1
pixfirewall(config)# arp-in: request at outside from 192.168.111.74
000c.41e6.fcda for 192.168.111.66 0000.0000.0000
arp-set: added arp outside 192.168.111.74 000c.41e6.fcda and updating NPs at
425957510
arp-in: request at outside from 192.168.111.74 000c.41e6.fcda for
192.168.111.66 0000.0000.0000
arp-set: added arp outside 192.168.111.74 000c.41e6.fcda and updating NPs at
425958510
arp-in: request at outside from 192.168.111.74 000c.41e6.fcda for
192.168.111.66 0000.0000.0000
arp-set: added arp outside 192.168.111.74 000c.41e6.fcda and updating NPs at
425959510
pixfirewall(config)# no debug arp
debug arp  disabled.





Was Proxy ARP enabled?  Yes.

no sysopt noproxyarp inside
no sysopt noproxyarp outside

pixfirewall(config)# show running-config all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
pixfirewall(config)#




PIX Version 7.0(4)
!
hostname pixfirewall
domain-name default.domain.invalid
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.111.73 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.111.65 255.255.255.248
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list test extended permit icmp 192.168.111.0 255.255.255.0 192.168.111.0
255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.111.8 255.255.255.248 inside
http 192.168.111.0 255.255.255.0 inside
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!

=============================================
 "Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:

PIX v7: routing without NAT? Vahid Pazirandeh (Jan 17)
- Re: PIX v7: routing without NAT? Brian Loe (Jan 18)