PIX/ASA: Establish and Troubleshoot Connectivity Through The Cisco Security Appliance
PIX/ASA: Establish and Troubleshoot Connectivity Through The Cisco Security Appliance
PIX/ASA: Establish and Troubleshoot Connectivity Through The Cisco Security Appliance
Contents
Introduction Prerequisites Requirements Components Used Conventions How Connectivity Through the PIX Works Configure Connectivity Through the PIX Allow ARP Broadcast Traffic Allowed MAC Addresses Traffic not Allowed to Pass in Router Mode Troubleshoot Connectivity Problems Error Message %PIX|ASA4407001: Accesslist Command Syntax PIX Software Release 5.0.x and Later Related Information
Introduction
When a PIX Firewall is configured initially, it has a default security policy where everyone on the inside can get out, and nobody from the outside can get in. If your site requires a different security policy, you can allow outside users to connect to your web server through the PIX. Once you establish basic connectivity through the PIX Firewall, you can make configuration changes to the firewall. Make sure any configuration changes you make to the PIX Firewall are in compliance with your site security policy. Refer to ASA 8.3: Establish and Troubleshoot Connectivity Through the Cisco Security Appliance for more information on the identical configuration on Cisco Adaptive Security Appliance (ASA) with version 8.3 and later. Refer to Monitor and Troubleshoot PIX 500 Performance Issues in order to learn more about the various show commands that are useful for troubleshooting. Refer to Troubleshoot Connections through the PIX and ASA in order to learn more about the security appliance connectivity troubleshooting.
Prerequisites
Requirements
This document assumes that some basic configurations have already been completed on the PIX. Refer to these documents for examples of an initial PIX configuration: Configuring the Cisco Secure PIX Firewall with a Single Internal Network
Components Used
The information in this document is based on PIX Firewall Software Releases 5.0.x and later. Note: Earlier versions of the PIX software use the conduit command instead of the accesslist command. Either command works in PIX Firewall Software Releases 5.0.x and later. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment.
3. Assign a static translated address for the internal host to which Internet users have access.
static (inside,outside) 192.168.202.5 10.2.1.5 0 0
4. Use the accesslist command to allow outside users through the PIX Firewall. Always use the translated address in the accesslist command.
accesslist 101 permit tcp any host 192.168.202.5 eq www accessgroup 101 in interface outside
For more information about command syntax, see the conduit and accesslist Command Syntax section of this document.
In some situations, hardcoding the speed and duplex settings leads to the generation of errors. So, you need to configure the interface to the default setting of autodetect mode as this example shows: Example:
asa(config)#interface ethernet 0/0 asa(configif)#duplex auto asa(configif)#speed auto asa(configif)#exit
Refer to the Speed and Duplex Settings section of Monitor and Troubleshoot PIX 500 Performance Issues for more information. 3. If the traffic does not send or recieve through the interface of the PIX or the headend router, try to clear the ARP statistics.
asa#clear arp
4. Use the show static command in order to make sure that static translation is enabled. 5. Use the interface keyword instead of the interface IP address in the static NAT statements if the static mapping does not work after the upgrade to version 7.2(1). Example:
static (inside,outside) tcp 192.168.202.2 80 10.2.1.5 1025 netmask 255.255.255.255
In this scenario, the outside IP address is used as the mapped IP address for the web server. So, this static mapping might not work for PIX/ASA version 7.2(1). In order to solve this issue, you can use this syntax.
static (inside,outside) tcp interface 80 10.2.1.5 1025 netmask 255.255.255.255
6. Check to see that the default route on the web server points to the inside interface of the PIX. 7. Check the translation table using the show xlate command in order to see if the translation was created.
8. Use the logging buffer debug command in order to check the log files to see if denies occur. (Look for the translated address and see if you see any denies.) 9. Use the capture command if you use version 6.2.2 or later with this command:
accesslist webtraffic permit tcp any host 192.168.202.5 capture capture1 accesslist webtraffic interface outside
If you use a version earlier than 6.2.2 and if the network is not busy, you can capture the traffic with the debug packet command. This command captures packets that come from any external host toward the web server.
debug packet outside dst 192.168.202.5 proto tcp dport 80 bot
Note: This command generates a significant amount of output. It can cause a router to hang or reload under heavy traffic loads. 10. If packets make it to the PIX, make sure your route to the web server from the PIX is correct. (Check the route commands in your PIX configuration.) 11. Check to see if proxy ARP is disabled. Issue the command show runningconfig sysopt in PIX/ASA 7.x or show sysopt in PIX 6.x. Here proxy ARP is disabled by the command sysopt noproxyarp outside:
ciscoasa#show runningconfig sysopt no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt radius ignoresecret sysopt noproxyarp outside sysopt connection permitvpn
In order to reenable proxy ARP, enter this command in global configuration mode:
ciscoasa(config)#no sysopt noproxyarp outside
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request and asks "Who is this IP address?". The device that owns the IP address replies, "I own that IP address; here is my MAC address." Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host. For example, in the diagram in this document, when an ARP request is made for the global IP address of the web server, 192.168.202.5, the security appliance responds with its own MAC address. If proxy ARP is not enabled in this situation, hosts on the outside network of the security appliance are not able to reach the web server by issuing an ARP request for the address 192.168.202.5. Refer to the command reference for more information about the sysopt command. 12. If everything appears to be correct, and users still cannot access the web server, open a case with Cisco Technical Support.
Related Information
PIX 500 Series Security Appliances Support Page Cisco Adaptive Security Appliance Support Page Documentation for PIX Firewall Cisco Secure PIX Firewall Command References Requests for Comments (RFCs) Technical Support & Documentation Cisco Systems
Contacts & Feedback | Help | Site Map 2011 2012 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc.