[nsp] PIX only avail after pinging from it
Sven Huster
sven at huster.me.uk
Wed Dec 10 08:44:00 EST 2003
Looks sort of that.
I did some research mirroring traffic to and from the PIX and it does not seems to recognize the ARP requests at all.
debug arp gives me nothing at all.
Any ideas what could cause this behaviour? Or is the thing just broken?
Also my static mapping does not work for the same reason. I guess the PIX should do proxy arp for it but doesn't want to.
Sven
On Wed, Dec 10, 2003 at 03:37:11PM +0200, Goldberg Alain (IT) wrote:
>
> I am not a PIX specialist and thus I will not go into your
> configuration, BUT:
> The problem you describe looks like a typical ARP issue.
> Because when you ping-from-pix you actually supply the Ethernet
> (xx:xx:xx:xx:xx:xx) of the PIX to the given host,
> and then this host is able to reach the PIX.
>
> The first thing I would check is that the netmask on the PIX is the same
> as on the other hosts.
> Then check if you are not blocking incoming ARP requests on the PIX.
>
> My 5 cents.
>
> Regards,
>
> _________________________________________
> Alain Goldberg - Network manager - CCDA/CCNA
>
> Tower Semiconductors LTD.
>
> Tel : 972-4-6506003 Fax : 972-4-6547788
>
>
>
> "I love a well designed chaos" - Sixtus dixit
>
>
>
>
>
> -----Original Message-----
> From: Sven Huster [mailto:sven at huster.me.uk]
> Sent: Wednesday, December 10, 2003 12:14 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] PIX only avail after pinging from it
>
> Hi
>
> I got a PIX/UR running 6.3(1).
>
> It looks like it is only available e.g. for ICMP once it pinged the
> other end first.
> So I try to ping it and leave this running without any success.
> As soon as I ping the host from the PIX it also start to work the other
> way round.
>
> Any ideas?
>
> Part of the config follows:
>
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet1 vlan2 logical
> interface ethernet1 vlan3 logical
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif vlan2 dmz security10
> nameif vlan3 internal security90
>
> access-list compiled
> access-list ACL_OUTSIDE_IN permit icmp any any access-list
> ACL_OUTSIDE_IN permit ip host 10.0.0.1 any access-list ACL_OUTSIDE_IN
> permit ip host 10.0.0.2 any access-list ACL_DMZ_IN deny ip 192.168.254.0
> 255.255.255.0 192.168.254.0 255.255.255.0 access-list ACL_DMZ_IN permit
> icmp any any access-list ACL_DMZ_IN permit ip any host 10.0.0.1
> access-list ACL_DMZ_IN permit ip any host 10.0.0.2 access-list
> ACL_DMZ_IN permit udp any host 10.1.1.4 eq domain access-list ACL_DMZ_IN
> permit udp any host 10.1.1.5 eq domain
>
> icmp permit any outside
> icmp permit any inside
> icmp permit any dmz
> icmp permit any internal
>
> mtu outside 1500
> mtu inside 1500
>
> ip address outside 10.0.0.250 255.255.255.0 ip address inside
> 192.168.155.254 255.255.255.0 ip address dmz 192.168.254.254
> 255.255.255.0 ip address internal 192.168.151.254 255.255.255.0
>
> arp timeout 14400
> static (dmz,outside) 10.0.0.50 192.168.254.1 netmask 255.255.255.255 0 0
>
> access-group ACL_OUTSIDE_IN in interface outside access-group ACL_DMZ_IN
> in interface dmz
>
> route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
>
> Thanks
> Regards
> --
> Sven
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list