Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501 blocking inside to out arp requests

Reply
Thread Tools

PIX 501 blocking inside to out arp requests

 
 
Tyler
Guest
Posts: n/a
 
      05-20-2008
Hello.

I've got a Cisco PIX 501 that I like to use as my boarder firewall/
router for my home. However, I have found one situation where I have
to swap the 501 for a dumb Linksys router/NAT device.

I work from home as a software consultant, and one of the clients I
work for has a VPN concentrator that I can not connect to with my PIX
inline.

I think I have narrowed it down to the VPN Adapter that is created
when I connect to their concentrator.

Ethernet adapter Cisco Systems VPN Adapter:

Connection-specific DNS Suffix . : XXXX.XXX
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.10

There is no 'Default Gateway'. With the PIX in line I can not connect
to their server 192.168.15.2, etc.. With the Linksys in line every
thing seems to work fine.

I have tried to contact their network admin to resolve the issue, but
they have been very un-responsive. Is there any setting I can change
on my PIX?

I'm guessing (as I'm no network guru) that the Linksys router is
allowing ARP requests to traverse the device, and the PIX is blocking
them since there is now pre-defined route, or maybe this guess is way
off, I don't really know.

Any help would greatly be appreciated.

-Tyler
 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      05-20-2008
Tyler <(E-Mail Removed)> writes:
>I've got a Cisco PIX 501 that I like to use as my boarder firewall/
>router for my home. However, I have found one situation where I have
>to swap the 501 for a dumb Linksys router/NAT device.


>I work from home as a software consultant, and one of the clients I
>work for has a VPN concentrator that I can not connect to with my PIX
>inline.


>I think I have narrowed it down to the VPN Adapter that is created
>when I connect to their concentrator.


Probably not..

>There is no 'Default Gateway'. With the PIX in line I can not connect
>to their server 192.168.15.2, etc.. With the Linksys in line every
>thing seems to work fine.


Do you have the PIX configured to let IPsec packets through?

sysopt connection permit-ipsec

I'm assuming you are already doing NAT-T on your VPN setup since you
say the Linksys one works.

>I'm guessing (as I'm no network guru) that the Linksys router is
>allowing ARP requests to traverse the device, and the PIX is blocking
>them since there is now pre-defined route, or maybe this guess is way
>off, I don't really know.


Yes, this guess is way off..

 
Reply With Quote
 
 
 
 
Tyler
Guest
Posts: n/a
 
      05-20-2008
> Do you have the PIX configured to let IPsec packets through?
>
> sysopt connection permit-ipsec
>


I did not have this statement in my config.

However, other sites that I VPN to worked fine, all "seem" to be
configured using IPSec over UDP (NAT / PAT) in the Cisco VPN Client
I'm using to connect to the client through my PIX / Linksys router.

I have added the statement to my PIX, but I haven't had a chance to
test it yet as the PIX is currently not hooked up. I'll give it a
test later today when I disconnect from the client I'm working with.

> I'm assuming you are already doing NAT-T on your VPN setup since you
> say the Linksys one works.
>
> >I'm guessing (as I'm no network guru) that the Linksys router is
> >allowing ARP requests to traverse the device, and the PIX is blocking
> >them since there is now pre-defined route, or maybe this guess is way
> >off, I don't really know.

>
> Yes, this guess is way off..


Thanks
 
Reply With Quote
 
Tyler
Guest
Posts: n/a
 
      05-20-2008
I have put the PIX back in place and added:

sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp

One at a time testing each seperately, none of them made any
difference to the connection, I am still unable to ping the address at
the other end of the tunnel as when I have my Linksys Router in place.

Here is my entire config:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx
passwd xx
hostname pix
domain-name xxxxxx
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list inbound permit tcp any any eq ssh
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq domain
access-list inbound permit udp any any eq domain
access-list inbound permit tcp host x.x.x.x any eq www
access-list inbound permit tcp host x.x.x.x any eq 1984
access-list inbound permit tcp host x.x.x.x any eq 1984
access-list outbound permit tcp host 192.168.1.7 any eq smtp
access-list outbound deny tcp any any eq smtp
access-list outbound permit ip any any
pager lines 255
logging on
logging timestamp
logging standby
logging monitor alerts
logging trap informational
logging history debugging
logging facility 19
logging host inside 192.168.1.5
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface ssh 192.168.1.7 ssh netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.168.1.7 domain
netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.1.7 domain
netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.7 www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 1984 192.168.1.7 1984 netmask
255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
ntp server x.x.x.x source outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
isakmp enable inside
isakmp nat-traversal 3600
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username XX xx
terminal width 80
 
Reply With Quote
 
Tyler
Guest
Posts: n/a
 
      05-22-2008
Any other ideas?
 
Reply With Quote
 
Marko Uusitalo
Guest
Posts: n/a
 
      05-22-2008
Tyler kirjoitti:
> Any other ideas?


I the dns server 192.168.1.10 in your network or across the VPN? This
could be the problem. Can you connect using IP addresses only

Regards

Marko
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix 501 - Problem Routing Requests from inside to outside networks RG Cisco 2 11-27-2007 03:12 PM
ARP Request Collisions on PIX-501 firewall Andrew Dancy Cisco 2 06-13-2007 11:47 AM
PIX 501 relay client DNS requests out to an internet DNS server? nicough@gmail.com Cisco 1 11-18-2006 03:29 PM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Need help configuring PIX 501 for proxy arp Bobby Kuzma Cisco 6 12-31-2003 04:42 AM



Advertisments