Impossibile pingare l'indirizzo ip pubblico da internet

[draven76]

Dall'esterno, l'ip pubblico assegnato all'interfaccia esterna del firewall non risulta pingabile, ma tutti i server interni "pattati" tramite static risultano correttamente raggiungibili sulle porte loro assegnate...

esult of the command: "show config"

: Saved
: Written by enable_15 at 09:13:26.260 CEDT Fri Sep 26 2008
!
PIX Version 7.2(1)
!
hostname hellfire
domain-name xxx.local
enable password 7ByMIiIG5nsg65py encrypted
names
name 192.168.1.11 isasrv
name 10.0.0.9 kamyo
name 10.0.0.14 milo
name 10.0.0.16 dohko
name 10.0.0.20 deathmask
name 10.0.0.15 shura
name 10.0.0.19 pdc
name 10.0.0.2 mu
name 10.0.0.22 shun
name 10.0.0.99 nagios
name 10.0.0.156 adminpc
name 10.0.0.5 aiolia
name 10.0.0.6 aiolos
name 10.0.0.1 aldebaran
name 10.10.10.10 camserver
name 10.0.0.7 isasrvdmz
name 192.168.1.10 penguin
name 192.168.0.2 pix_oldwan_ip
name 93.63.239.50 pix_wan_ip
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address pix_oldwan_ip 255.255.255.252
ospf cost 10
!
interface Ethernet0.2
vlan 3
nameif newext
security-level 0
ip address pix_wan_ip 255.255.255.240
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.100 255.0.0.0
ospf cost 10
!
interface Ethernet2
nameif dmz
security-level 4
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server aldebaran
name-server mu
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DMZ_Servers
network-object 192.168.1.0 255.255.255.0
object-group network mailsrvs
description SMTP Mail servers
network-object host aiolos
network-object host nagios
network-object host dohko
network-object host milo
access-list 1 standard permit any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list intf2_access_in extended permit ip any any
access-list intf2_access_out extended permit tcp any eq smtp host isasrv eq smtp
access-list intf2_access_out extended permit tcp any eq www host isasrv eq www
access-list intf2_access_out extended permit tcp any eq ssh any eq ssh
access-list intf2_access_out extended permit tcp any eq https any eq https
access-list intf2_access_out extended permit tcp any eq ftp any eq ftp
access-list intf2_access_out extended permit tcp any eq pop3 any eq pop3
access-list intf2_access_out extended permit tcp any eq 8888 any eq 8888
access-list intf2_access_out extended permit tcp any eq 2221 any eq 2221
access-list intf2_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip any 10.10.10.0 255.255.255.224
access-list l2tp extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list 102 extended permit tcp object-group mailsrvs any eq smtp
access-list 102 extended deny tcp any any eq smtp
access-list 102 extended permit ip any any
access-list 102 extended permit icmp any any
access-list newext_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
logging facility 22
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu newext 1500
ip local pool pool1 camserver-10.10.10.20 mask 255.0.0.0
icmp permit any newext
asdm image flash:/asdm
asdm location aldebaran 255.255.255.255 inside
asdm location 10.0.1.1 255.255.255.255 inside
asdm location pix_oldwan_ip 255.255.255.255 inside
asdm location penguin 255.255.255.255 dmz
asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 1 interface
global (dmz) 1 interface
global (newext) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (dmz) 2 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface https isasrv https netmask 255.255.255.255
static (dmz,outside) tcp interface 8888 isasrv 8888 netmask 255.255.255.255
static (dmz,outside) tcp interface 5901 isasrv 5901 netmask 255.255.255.255
static (dmz,outside) tcp interface pop3 isasrv pop3 netmask 255.255.255.255
static (dmz,outside) tcp interface 2221 isasrv 2221 netmask 255.255.255.255
static (dmz,outside) tcp interface www isasrv www netmask 255.255.255.255
static (dmz,outside) tcp interface smtp isasrv smtp netmask 255.255.255.255
static (dmz,outside) tcp interface ftp isasrv ftp netmask 255.255.255.255
static (dmz,newext) tcp interface https isasrv https netmask 255.255.255.255
static (dmz,newext) tcp interface www isasrv www netmask 255.255.255.255
static (dmz,newext) tcp interface ftp isasrv ftp netmask 255.255.255.255
static (dmz,newext) tcp interface smtp isasrv smtp netmask 255.255.255.255
static (dmz,newext) tcp interface pop3 isasrv pop3 netmask 255.255.255.255
static (dmz,newext) tcp interface 5901 isasrv 5901 netmask 255.255.255.255
static (dmz,newext) tcp interface 2221 isasrv 2221 netmask 255.255.255.255
static (dmz,newext) tcp interface 8888 isasrv 8888 netmask 255.255.255.255
static (inside,outside) tcp interface 9080 camserver 9080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 aldebaran 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10723 dohko 10723 netmask 255.255.255.255
static (inside,outside) tcp interface 21500 dohko 21500 netmask 255.255.255.255
static (inside,outside) tcp interface 21300 kamyo 21300 netmask 255.255.255.255
static (inside,outside) tcp interface 7000 kamyo 7000 netmask 255.255.255.255
static (inside,outside) tcp interface 21400 deathmask 21400 netmask 255.255.255.255
static (inside,outside) tcp interface 6000 deathmask 6000 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 shun 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8821 mu ftp netmask 255.255.255.255
static (inside,outside) tcp interface ssh nagios ssh netmask 255.255.255.255
static (inside,outside) tcp interface 3390 pdc 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3388 shura 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3387 milo 3389 netmask 255.255.255.255
static (inside,newext) tcp interface 21400 deathmask 21400 netmask 255.255.255.255
static (inside,newext) tcp interface 21300 kamyo 21300 netmask 255.255.255.255
static (inside,newext) tcp interface 21500 dohko 21500 netmask 255.255.255.255
static (inside,newext) tcp interface 7000 kamyo 7000 netmask 255.255.255.255
static (inside,newext) tcp interface 6000 deathmask 6000 netmask 255.255.255.255
static (inside,newext) tcp interface 10723 dohko 10723 netmask 255.255.255.255
static (inside,newext) tcp interface 3389 aldebaran 3389 netmask 255.255.255.255
static (inside,newext) tcp interface 9080 camserver 9080 netmask 255.255.255.255
static (inside,newext) tcp interface 8080 shun 8080 netmask 255.255.255.255
static (inside,newext) tcp interface 8821 mu ftp netmask 255.255.255.255
static (inside,newext) tcp interface ssh nagios ssh netmask 255.255.255.255
static (dmz,newext) tcp interface 5902 penguin 5902 netmask 255.255.255.255
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group l2tp in interface outside
access-group 102 in interface inside
access-group inside_access_out out interface inside
access-group intf2_access_in in interface dmz
access-group intf2_access_out out interface dmz
access-group newext_access_in in interface newext
route outside 0.0.0.0 0.0.0.0 192.168.0.1 100
route newext 0.0.0.0 0.0.0.0 93.63.239.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server vpn protocol radius
aaa-server vpn host aldebaran
key radiuskey
radius-common-pw radiuskey
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.0.0.1
dns-server value 10.0.0.1 10.0.0.100
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value cisco.com
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside nagios poll community xxx version 2c
snmp-server host dmz penguin poll community xxx version 2c
snmp-server location xxx
snmp-server contact xxx
snmp-server community xxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set TRANSP_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANSP_ESP_DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable newext
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool pool1
authentication-server-group vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2
authentication eap-proxy
telnet 10.0.0.0 255.0.0.0 inside
telnet penguin 255.255.255.255 dmz
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd dns 213.140.2.43 213.140.2.49
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address mu-nagios inside
!
dhcpd address penguin-penguin dmz
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
!
service-policy global_policy global
smtp-server 10.0.0.6
prompt hostname context
Cryptochecksum:ac82c3ce6ffdc807e6c7ec984e8cd572

pochi giorni fa funzionava, devo aver toccato qualcosa che non andava toccata!

Ciao a tutti

[Wizard]

Codice: Seleziona tutto

icmp permit any outside

[draven76]

Nulla da fare, ho aggiunto il comando (anche se c'era già icmp permit any newext e io sto pingando quella) ma non funziona ancora.

Sono molto propenso a resettare la configurazione ai valori di default stanotte e a rifarla daccapo, ho la netta sensazione che si sia inceppato qualcosa con tutto il casino che c'ho combinato di recente a sto benedetto firewall. Tra l'altro ho dei "rimasugli" di config di un accesso vpn che tempo fa stavo realizzando ma che poi scartai per sopravvenuti nuovi impegni + urgenti.

Cmq sono certo che sia qualcosa che ha a che fare col routing, e mi spiego:

se pingo il vecchio indirizzo pubblico, che gira tutto sulla outside (192.168.0.2) funziona a patto che la regola di routing col costo + basso sia quella che passa tramite outside. In caso contrario, sul log del pix vedo un bel "no route to indirizzochepinga from 192.168.0.2. E allo stesso modo, giorni fa, accadeva pingando l'ip nuovo attestato su newext senza aver dato la priorità alla regola di routing che fa uscire tutto dalla stessa newext. Adesso invece, se anche metto in secondo piano il routing verso l'esterno attraverso newext, pingando il nuovo ip pubblico non ottengo l'errore di un tempo... sta quindi seguendo un qualche routing diverso, mi par di capire... ma quale???

Ciao,

[draven76]

Risolto... ho cambiato a .51 e poi subito rimesso a .50 l'indirizzo pubblico settato sulla newext e tutto ha ripreso a funzionare... immagino sia stato un problema di tabella arp del firewall/switch/router

meglio così!

Ciao,

[Wizard]

Si direi di si!
Cmq, aggiorna la ios appena puoi perchè è vecchia.

[draven76]

Gli aggiornamenti si pagano o sono distribuiti gratuitamente? Da quel ricordo, si pagavano... ora però il pix è anche un prodotto in dirittura di dismissione completa da parte di cisco (mi hanno anche chiamato per segnalarmi la end of support date e invitarmi a comprarmi un prodotto nuovo )...

Ciao,

[Wizard]

Eh si, se passi ad ASA hai anche degli sconti ora!