General discussion

Locked

Internet Access for (dualNic)Unix proble

By natem ·
We have a Cisco Pix 506 firewall setup to allow anyone to access the Internet from the inside.

We have a AIX 4.3 IBM Unix server that is on the internal LAN along with about 60 other workstations and servers.

The AIX has a nic that is in the ip scheme of our internal network. The second nic is in the ip scheme of our DMZ. My Windows 2000 Professional workstation is configured the same. (The pix is set as the default gateway and static routes map to all WAN sites out a local 2600 Cisco router.)

I am able to connect to any Internet site from my workstation. The AIX is unable to connect to anything outside our WAN. The PIX, AIX, and my workstation can all ping each other. Traceroute goes from my machine to the PIX, just like the AIX.

From debugging the PIX I can see that pinging from the AIX to the ip of www.cisco.com gets to the internal side of the PIX, but there is no reply. From my workstation I can ping the ip of www.cisco.com and get a reply. The only ACL on the PIX if for incoming trafic only.

I have had outside help take a look at the PIX and in their oppinion, it's not the PIX. The same with AIX.

Any suggestions would be helpful,
Nate

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Internet Access for (dualNic)Unix proble

by Johan101 In reply to Internet Access for (dual ...

check on the aix that the default gateway is configured corectly .
if necesary delete the default gateway and recreat it on the aix .
I had the same problem on my linux router .

Here is the command I had to use :
route add default gw <router ip>
my linux router could not get through our gateway router onto the internet .

Collapse -

Internet Access for (dualNic)Unix proble

by natem In reply to Internet Access for (dual ...

Turned out to be a bad nic, but I see what you mean.

Collapse -

Internet Access for (dualNic)Unix proble

by uofM In reply to Internet Access for (dual ...

Do I understand you correctly that you have the DMZ attched to the AIX box (via the 2nd NIC)? Which is inside the internal network (via the 1st NIC)??!!!

Collapse -

Internet Access for (dualNic)Unix proble

by natem In reply to Internet Access for (dual ...

That's right. It's not actually a DMZ, but I didn't want to be too confusing. We have a Proxy that's configured the same way. Everything on our WAN get's to the Internet through our Proxy. There's no actual 'routing' between our WAN and the Internet, not textbook but it works. Thanks for taking a look, it turned out to be a bad nic.

Collapse -

Internet Access for (dualNic)Unix proble

by paulo.sedrez In reply to Internet Access for (dual ...

Three things:

1- Lets make debuggin easy: enable the logging on PIX, pointing to the AIX:

logging trap informational
logging facility local4 (or 20)
logging host inside <AIX IP>

Each time rejects some packet for any reason, it will log itin the AIX (don't forget to redirect the logging to a file, on tha AIX side).

2- this one is tricky, and not well documented. AIX 4.3.3 cames with Path MTU Discovery enabled by default. Before the first udp or tcp connection to a host, and then every 30 minutes, AIX will send an ICMP 'echo request' (ping) packet to the destination host, sized to the MTU of the routing interface, and waits for the 'echo reply' (pong) to analyze its fragmentation state, and so resolve the optimal MTU for that host. This is a time consuming operation, and usually useless when behind a firewall, being able to induce connections to timeout on early stages.

So, I suggest you to disable this feature, with the command "no" (I think stands for "Network Options"), as root:

no -o udp_pmtu_discover=0
no -o tcp_pmtu_discover=0

I this solves your problem, you can add this lines to the end of the /etc/rc.tcpip script.

3- Check if you are allowing ICMP packets to enter your network. AFAIK, PIX only maintains states for TCP and fakes it for UDP. If you want to be sure, only allow 'echo request', 'echo reply' and the 'host unreachable' group.

--Sedrez

Collapse -

Internet Access for (dualNic)Unix proble

by natem In reply to Internet Access for (dual ...

Turned out to be a bad nic. Thanks for the help.

Collapse -

Internet Access for (dualNic)Unix proble

by natem In reply to Internet Access for (dual ...

This question was closed by the author

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums