Options
Not able to ping inside interface of pix from router(directly connected)
cyberjunkie
Member Posts: 13 ■□□□□□□□□□
Hi, This is a Lab on gns3 I have just connected two devices router and pix I don't know why it is not pinging from both side as they are directly connected Please refer the output below and help. Is it some bug in gns3 or do i need to do some more configuration on pix.
Routers Interface
Ethernet0/0 10.1.1.1 YES manual up
Pix Insdie Interface
Ethernet1 10.1.1.10 YES manual up
pixfirewall# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
pixfirewall#
Routers Interface
Ethernet0/0 10.1.1.1 YES manual up
Pix Insdie Interface
Ethernet1 10.1.1.10 YES manual up
pixfirewall# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
pixfirewall#
“Power corrupts. Knowledge is power. Study hard. Be evil.”
Comments
-
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Are you getting anything on your logs?
Is the MASK correct on the router?
Can you ping from the PIX to the router?
Does the Router IP show up in the PIX ARP table, is the MAC correct?
Ditto on the router side.
If all of these fail setup a capture on the PIX inside interface for all IP on that subnet and try again. You might be getting packets it's not expecting (malfromed MACs etc), or none at all...
access-list CAPTURE-INSIDE permit ip any any
capture CAPTURE-INSIDE access-list CAPTURE-INSIDE int INSIDE buffer 1000000
!
then use 'show capture CAPTURE-INSIDE' to view (or download to your PC for wireshark analysis etc.)We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?