do you know why? [7:72352]
I have a pix firewall and i have a strange problem. If any one of you have come across this pls let me know the solution. I have few servers at both sides of the PIX. eg. Server-A at Outside zone and Server-B at Inside zone. 1. When I ping from Server-B to Server-A, I get request timeout. 2. Now I go to Server-A and start a ping to Server-B. It works fine. 3. Then again I go back to Server-B to ping to Server-A, and now it starts pinging!!! Can anyone of you explain this??? I need to get this thing resloved and straight away ping from B to A. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72352&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: do you know why? [7:72352]
What I have is exactly 6.3 So it looks like a bug in the version? Thanks a lot Wilmes, for your observation and sharing with everyone. Wilmes, Rusty wrote: >sounds like from b > a you dont have an nat xlate established. > >when you go from a > b it creates the xlate so that b > a starts working. > >We had a problem after upgrading from 6.1.1 to 6.3 where one of our vpn >partners couldn't get in til we pinged a host on their side. Error in the >syslog was a deny due to no xlate. We were also losing NAT to arbitrary >addresses on port 80. We rolled back to 6.1.4 (the latest GD and all is >well). > >What version are you on? > >-Original Message- >From: Vajira Wijesinghe [mailto:[EMAIL PROTECTED] >Sent: Tuesday, July 15, 2003 3:23 PM >To: [EMAIL PROTECTED] >Subject: do you know why? [7:72352] > > >I have a pix firewall and i have a strange problem. >If any one of you have come across this pls let me know the solution. > >I have few servers at both sides of the PIX. >eg. Server-A at Outside zone and Server-B at Inside zone. > >1. When I ping from Server-B to Server-A, I get request timeout. >2. Now I go to Server-A and start a ping to Server-B. It works fine. >3. Then again I go back to Server-B to ping to Server-A, and now it >starts pinging!!! > >Can anyone of you explain this??? >I need to get this thing resloved and straight away ping from B to A. >Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72358&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
sounds like from b > a you dont have an nat xlate established. when you go from a > b it creates the xlate so that b > a starts working. We had a problem after upgrading from 6.1.1 to 6.3 where one of our vpn partners couldn't get in til we pinged a host on their side. Error in the syslog was a deny due to no xlate. We were also losing NAT to arbitrary addresses on port 80. We rolled back to 6.1.4 (the latest GD and all is well). What version are you on? -Original Message- From: Vajira Wijesinghe [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: do you know why? [7:72352] I have a pix firewall and i have a strange problem. If any one of you have come across this pls let me know the solution. I have few servers at both sides of the PIX. eg. Server-A at Outside zone and Server-B at Inside zone. 1. When I ping from Server-B to Server-A, I get request timeout. 2. Now I go to Server-A and start a ping to Server-B. It works fine. 3. Then again I go back to Server-B to ping to Server-A, and now it starts pinging!!! Can anyone of you explain this??? I need to get this thing resloved and straight away ping from B to A. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72357&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
Sounds like arp requests arent being allowed through. Once its the arp cache is maintained, it knows where to forward the packets. Just my theory. -Original Message- From: Vajira Wijesinghe [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 8:23 AM To: [EMAIL PROTECTED] Subject: do you know why? [7:72352] I have a pix firewall and i have a strange problem. If any one of you have come across this pls let me know the solution. I have few servers at both sides of the PIX. eg. Server-A at Outside zone and Server-B at Inside zone. 1. When I ping from Server-B to Server-A, I get request timeout. 2. Now I go to Server-A and start a ping to Server-B. It works fine. 3. Then again I go back to Server-B to ping to Server-A, and now it starts pinging!!! Can anyone of you explain this??? I need to get this thing resloved and straight away ping from B to A. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72359&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: do you know why? [7:72352]
I'm not very familiar with the newer releases of PIX software, but do you have to enable ICMP on those interfaces? It looks to me like you only have ICMP allowed going one direction. This is a very common problem and easily fixed. Also, if something is being blocked it should be apparent from the logs why it was blocked. HTH, John - Original Message - From: "Vajira Wijesinghe" To: Sent: Tuesday, July 15, 2003 4:23 PM Subject: do you know why? [7:72352] > I have a pix firewall and i have a strange problem. > If any one of you have come across this pls let me know the solution. > > I have few servers at both sides of the PIX. > eg. Server-A at Outside zone and Server-B at Inside zone. > > 1. When I ping from Server-B to Server-A, I get request timeout. > 2. Now I go to Server-A and start a ping to Server-B. It works fine. > 3. Then again I go back to Server-B to ping to Server-A, and now it > starts pinging!!! > > Can anyone of you explain this??? > I need to get this thing resloved and straight away ping from B to A. > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72362&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
I don't have much experience with the PIX, but at Networkers they did say that Cisco changed the way the PIX handled ICMP packets yet again. They apparently changed it like three times now, and think they finally have it where they want it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 11:23 PM To: [EMAIL PROTECTED] Subject: Re: do you know why? [7:72352] I'm not very familiar with the newer releases of PIX software, but do you have to enable ICMP on those interfaces? It looks to me like you only have ICMP allowed going one direction. This is a very common problem and easily fixed. Also, if something is being blocked it should be apparent from the logs why it was blocked. HTH, John - Original Message - From: "Vajira Wijesinghe" To: Sent: Tuesday, July 15, 2003 4:23 PM Subject: do you know why? [7:72352] > I have a pix firewall and i have a strange problem. > If any one of you have come across this pls let me know the solution. > > I have few servers at both sides of the PIX. > eg. Server-A at Outside zone and Server-B at Inside zone. > > 1. When I ping from Server-B to Server-A, I get request timeout. > 2. Now I go to Server-A and start a ping to Server-B. It works fine. > 3. Then again I go back to Server-B to ping to Server-A, and now it > starts pinging!!! > > Can anyone of you explain this??? > I need to get this thing resloved and straight away ping from B to A. > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72389&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
I'd think that if it was an access list that it would either work or not work but NOT not work until you try it from the other side. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 8:23 PM To: [EMAIL PROTECTED] Subject: Re: do you know why? [7:72352] I'm not very familiar with the newer releases of PIX software, but do you have to enable ICMP on those interfaces? It looks to me like you only have ICMP allowed going one direction. This is a very common problem and easily fixed. Also, if something is being blocked it should be apparent from the logs why it was blocked. HTH, John - Original Message - From: "Vajira Wijesinghe" To: Sent: Tuesday, July 15, 2003 4:23 PM Subject: do you know why? [7:72352] > I have a pix firewall and i have a strange problem. > If any one of you have come across this pls let me know the solution. > > I have few servers at both sides of the PIX. > eg. Server-A at Outside zone and Server-B at Inside zone. > > 1. When I ping from Server-B to Server-A, I get request timeout. > 2. Now I go to Server-A and start a ping to Server-B. It works fine. > 3. Then again I go back to Server-B to ping to Server-A, and now it > starts pinging!!! > > Can anyone of you explain this??? > I need to get this thing resloved and straight away ping from B to A. > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72410&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
PIXes, at least with previous releases, are highly directional in nature and will apply a different set of rules depending on the origin of the traffic. For example, traffic originating on an 'inside' interface is subject to far fewer restrictions, by default, whereas traffic originating on the outside is blocked by default. As has already been mentioned, ICMP has another set of rules that need to be dealt with in addition to the usual rules. John >>> Wilmes, Rusty 7/16/03 11:31:51 AM >>> I'd think that if it was an access list that it would either work or not work but NOT not work until you try it from the other side. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 8:23 PM To: [EMAIL PROTECTED] Subject: Re: do you know why? [7:72352] I'm not very familiar with the newer releases of PIX software, but do you have to enable ICMP on those interfaces? It looks to me like you only have ICMP allowed going one direction. This is a very common problem and easily fixed. Also, if something is being blocked it should be apparent from the logs why it was blocked. HTH, John - Original Message - From: "Vajira Wijesinghe" To: Sent: Tuesday, July 15, 2003 4:23 PM Subject: do you know why? [7:72352] > I have a pix firewall and i have a strange problem. > If any one of you have come across this pls let me know the solution. > > I have few servers at both sides of the PIX. > eg. Server-A at Outside zone and Server-B at Inside zone. > > 1. When I ping from Server-B to Server-A, I get request timeout. > 2. Now I go to Server-A and start a ping to Server-B. It works fine. > 3. Then again I go back to Server-B to ping to Server-A, and now it > starts pinging!!! > > Can anyone of you explain this??? > I need to get this thing resloved and straight away ping from B to A. > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72417&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: do you know why? [7:72352]
Now i could narrow down the problem little bit. I observe this is happening ONLY to some Lantronix and Annex Terminal servers at outside zone.(where i gave the name server-A). Sun servers on the same subnet as of these terminal servers, do NOT show this abnormal behaviour and they respond straight away. Therefore this cannot be - a configuration issue - translate table issue Has anyone of you guys came across any inter-operability issues of these Terminal server brands with Cisco? thanks. "Wilmes, Rusty" wrote: > sounds like from b > a you dont have an nat xlate established. > > when you go from a > b it creates the xlate so that b > a starts working. > > We had a problem after upgrading from 6.1.1 to 6.3 where one of our vpn > partners couldn't get in til we pinged a host on their side. Error in the > syslog was a deny due to no xlate. We were also losing NAT to arbitrary > addresses on port 80. We rolled back to 6.1.4 (the latest GD and all is > well). > > What version are you on? > > -Original Message- > From: Vajira Wijesinghe [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 15, 2003 3:23 PM > To: [EMAIL PROTECTED] > Subject: do you know why? [7:72352] > > I have a pix firewall and i have a strange problem. > If any one of you have come across this pls let me know the solution. > > I have few servers at both sides of the PIX. > eg. Server-A at Outside zone and Server-B at Inside zone. > > 1. When I ping from Server-B to Server-A, I get request timeout. > 2. Now I go to Server-A and start a ping to Server-B. It works fine. > 3. Then again I go back to Server-B to ping to Server-A, and now it > starts pinging!!! > > Can anyone of you explain this??? > I need to get this thing resloved and straight away ping from B to A. > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72419&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
Actually, this can be completely normal behavior for the PIX. It has nothing to do with filtering or any magic or any bugs. The ASA algorithm in the PIX will not set up an xlate for the inbound traffic (as debugs will show) until the traffic is allowed from a higher security interface to a lower one. If the static (inside,*) is used ( * being dmz or outside) then it will go ahead and place the xlate. If you are using a NAT stmt and Global it will not. The traffic must qualify for the xlate and then 2 way traffic can exist. The only other rules ICMP has to deal with is for PAT (since there are no "ports" in ICMP only literals. This is overcome by the same method as overcoming GRE, a hash is created and each packet is inspected. Now, if you have a case where you have the static defined and your conduit/ACL is correct THEN you may have found a bug. (I did a quick check on Bug Navi and did not see any. You just can't reason with a PIX like you can a router! It doesn't run IOS!! Thanks, Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Neiberger Sent: Wednesday, July 16, 2003 10:58 AM To: [EMAIL PROTECTED] Subject: RE: do you know why? [7:72352] PIXes, at least with previous releases, are highly directional in nature and will apply a different set of rules depending on the origin of the traffic. For example, traffic originating on an 'inside' interface is subject to far fewer restrictions, by default, whereas traffic originating on the outside is blocked by default. As has already been mentioned, ICMP has another set of rules that need to be dealt with in addition to the usual rules. John >>> Wilmes, Rusty 7/16/03 11:31:51 AM >>> I'd think that if it was an access list that it would either work or not work but NOT not work until you try it from the other side. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 8:23 PM To: [EMAIL PROTECTED] Subject: Re: do you know why? [7:72352] I'm not very familiar with the newer releases of PIX software, but do you have to enable ICMP on those interfaces? It looks to me like you only have ICMP allowed going one direction. This is a very common problem and easily fixed. Also, if something is being blocked it should be apparent from the logs why it was blocked. HTH, John - Original Message - From: "Vajira Wijesinghe" To: Sent: Tuesday, July 15, 2003 4:23 PM Subject: do you know why? [7:72352] > I have a pix firewall and i have a strange problem. > If any one of you have come across this pls let me know the solution. > > I have few servers at both sides of the PIX. > eg. Server-A at Outside zone and Server-B at Inside zone. > > 1. When I ping from Server-B to Server-A, I get request timeout. > 2. Now I go to Server-A and start a ping to Server-B. It works fine. > 3. Then again I go back to Server-B to ping to Server-A, and now it > starts pinging!!! > > Can anyone of you explain this??? > I need to get this thing resloved and straight away ping from B to A. > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72427&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
Jim, outta curiosity - where would my situation with the vpn fit into this scenario. i have a pix >-vpn->> Wilmes, Rusty 7/16/03 11:31:51 AM >>> I'd think that if it was an access list that it would either work or not work but NOT not work until you try it from the other side. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 8:23 PM To: [EMAIL PROTECTED] Subject: Re: do you know why? [7:72352] I'm not very familiar with the newer releases of PIX software, but do you have to enable ICMP on those interfaces? It looks to me like you only have ICMP allowed going one direction. This is a very common problem and easily fixed. Also, if something is being blocked it should be apparent from the logs why it was blocked. HTH, John - Original Message - From: "Vajira Wijesinghe" To: Sent: Tuesday, July 15, 2003 4:23 PM Subject: do you know why? [7:72352] > I have a pix firewall and i have a strange problem. > If any one of you have come across this pls let me know the solution. > > I have few servers at both sides of the PIX. > eg. Server-A at Outside zone and Server-B at Inside zone. > > 1. When I ping from Server-B to Server-A, I get request timeout. > 2. Now I go to Server-A and start a ping to Server-B. It works fine. > 3. Then again I go back to Server-B to ping to Server-A, and now it > starts pinging!!! > > Can anyone of you explain this??? > I need to get this thing resloved and straight away ping from B to A. > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72433&t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
