PING to inside address goes thru translation and timesout

Hi,

I have just installed a PIX 501 and I'm having an odd issue with PING
that results in
lost traffic. I am a newbie at PIX configuration so it could be a screw
up on my part... ;-)

My set up is as follows

PIX 501, outside has one public IP address and performs translations
for 2 others

The two inside servers have an address of 10.0.0.51 and 10.0.0.52
respectively. Outside
connectivity to these machines via the translation works flawlessly
with no packet loss etc..

However when I try and ping these two machines from within my inside
network from another device,
I receive soemthing like this

Pinging 10.0.0.52 with 32 bytes of data:

Reply from 10.0.0.52: bytes=32 time=2ms TTL=64
Request timed out.
Reply from 10.0.0.52: bytes=32 time=1ms TTL=64
Reply from 10.0.0.52: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.0.52:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

With ICMP tracing turned on I noticed the following within the pix


2907: ICMP echo-request from inside:10.0.2.1 to INSIDE_DQ ID=512
seq=42753 length=40
2908: ICMP echo-request: translating inside:10.0.2.1/512 to
outside:X.X.X.X/60
2909: ICMP echo-request: untranslating inside:INSIDE_DQ to
outside:OUTIP
2910: ICMP echo-request from inside:10.0.2.1 to INSIDE_DQ ID=512
seq=43777 length=40
2911: ICMP echo-request: translating inside:10.0.2.1/512 to
outside:X.X.X.X/61
2912: ICMP echo-request: untranslating inside:INSIDE_DQ to
outside:OUTIP

Which surprises me that the ICMP echo request is actually getting
translated to the outside IP address.
I can ping other machines on the inside network with out issue, its
just the two machines that have a
translation defined for them that have an issue. Also if I add another
non translated IP address to the
machines they also do not have an issue.

Any ideas on what could be going on in this situation, to cause the
translation for the ICMP
packets to kick in ?


Thanks

Wayne

 

:I have just installed a PIX 501 and I'm having an odd issue with PING
:that results in
:lost traffic.

IX 501, outside has one public IP address and performs translations
:for 2 others

:The two inside servers have an address of 10.0.0.51 and 10.0.0.52
:respectively. Outside
:connectivity to these machines via the translation works flawlessly
:with no packet loss etc..

:However when I try and ping these two machines from within my inside
:network from another device,
:I receive soemthing like this

inging 10.0.0.52 with 32 bytes of data:

:2907: ICMP echo-request from inside:10.0.2.1 to INSIDE_DQ ID=512
:seq=42753 length=40

The PIX will not operate as a router for packets on the same
interface -- it will not send 10.0.2.1's packets back out the
inside interface to 10.0.0.52 . If you have multiple internal
subnets, you should have an internal router which is the gateway
for all the internal traffic.

 

Walter,


I'm not a pix expert, but isn't that problem overcome in version 7?

--


2nd Law of Thermodynamics: Chaos will Reign.

///////////////////
--Anthrax--
//////////////////

 

Walter,


I'm not a security expert, but isn't that problem overcome in version 7?

--


2nd Law of Thermodynamics: Chaos will Reign.

///////////////////
--Anthrax--
//////////////////

 

[Please don't top-post!]

:> The PIX will not operate as a router for packets on the same
:> interface -- it will not send 10.0.2.1's packets back out the
:> inside interface to 10.0.0.52 .

: I'm not a security expert, but isn't that problem overcome in version 7?

Notice this part:

:> In article <>,
: :I have just installed a PIX 501

PIX 7.0 is not supported on the PIX 501.

Also, one person posted that the same-interface routing was only
supported when VPNs were involved. I have not investigated PIX 7.0
to see.

 

Yes you are right Walter is not supported for 501.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html


Platforms Supported


• Cisco PIX 515 Security Appliance

• Cisco PIX 515E Security Appliance

• Cisco PIX 525 Security Appliance

• Cisco PIX 535 Security Appliance



and yes in can only route when coming from a vpn...

http://www.cisco.com/en/US/products...iguration_example09186a00804675ac.shtml#intro


"PIX version 7.0 improves support for spoke-to-spoke VPN communications
as it provides the ability for encrypted traffic to enter and leave the
same interface.

The same-security-traffic command permits traffic to enter and exit the
same interface when you use it with the intra-interface keyword which
enables spoke-to-spoke VPN support."


http://www.cisco.com/en/US/products..._guide_chapter09186a0080450beb.html#wp1042114

"Permitting Intra-Interface Traffic

The security appliance includes a feature that lets users on the same
subnet send IPSec-protected traffic to each other. It does so by
allowing such traffic in and out of the same interface. This is called
hairpinning."

http://www.cisco.com/en/US/products...od_release_note09186a00803f0f4c.html#wp162358

"Enhanced Spoke-to-Spoke VPN Support

Version 7.0(1) improves support for spoke-to-spoke (and
client-to-client) VPN communications, by providing the ability for
encrypted traffic to enter and leave the same interface."



Regarding the top post issue, nobody before had tell me anything so i
found it interesting and dig in for more information.

http://www.faqs.org/rfcs/rfc1855.html

http://www.cs.tut.fi/~jkorpela/usenet/brox.html

http://lists.evolt.org/archive/Week-of-Mon-20040726/162009.html


So thanks for letting me know that I'm not doing it right, we always can
improve. Cheers!





--


2nd Law of Thermodynamics: Chaos will Reign.

///////////////////
--Anthrax--
//////////////////