[fw-wiz] RE:[fw-wiz]: unable to ping behind the firewall

From: Sloane, David (DSloane_at_vfa.com)
Date: 12/10/03

  • Next message: Chris Ditri: "Re: [fw-wiz] Weird FW bridge stuff (Linux)"
    To: "Hilal Hussein" <hilalma@hotmail.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 10 Dec 2003 11:17:03 -0500
    
    

    Hilal,

    It sounds like you have too many variables to make sense of the
    situation.

    I'm assuming there's some reason you can't find or clean the
    virus-infected/bad-arp computer. If you can find it, at least pull it
    off the network for a while for testing. If you can't find it because
    it produces invalid Ethernet addresses, disconnect half of your
    workstations and sniff for the ARP packets. Dividing the pool in half,
    and half again, and so on, can make this a manageable process.

    I would try to make sure that the network equipment is all working as
    desired first. For example, if you put a
    (hardened/firewalled/disposable/knoppix) computer on the same switch as
    the firewall and the ISP router, give it a real IP address and try ping
    and https. If that works, you've eliminated the switch and the ISP
    router - they aren't causing the problem.

    Then go back behind the firewall with a single workstation - maybe a
    crossover cable from the firewall to a clean computer, and try ping and
    https. If those work, your firewall is probably configured correctly
    and you're back to finding the problem computer on the network. Maybe
    your LAN switch is broken, but a Layer 2 switch is unlikely to fail for
    some IP protocols and not others.

    There are certainly other ways to do this, but this is how I would
    start.

    Good luck.

    -David

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Hilal
    Hussein
    Sent: December 08, 2003 6:10 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] [fw-wiz]: unable to ping behind the firewall

    Hello list,
    I have a problem, and would like to take your comment, feedback, and
    guidelines about how to resolve it.
    I have a network with the following setup : ISP router connected
    directly to
    a 3 com 16 port switch in our network, and this switch is connected
    directly
    to a cisco pix firewall.
    so, we are getting internet access throught the firewall then switch
    then
    isp router ...

    from our network,we can browse the internet, telnet, msn, chating, but
    I
    CAN"T do ping any
    nternet host (like yahoo, or cnn) and also some users can't access the
    internet web based BANK LOGGIN ACCOUNT like https, and maybe other
    internet
    services!
    notice that :

    1 - All oubound tcp & udp ports including the 443/TCP (outbound) port
    are
    Open t on the firewall.

    2 - Our internet PC's are mostly winxp professional, only few are
    windows
    98, and all are security patchedand the IP addresses belong to the
    private
    subnets.

    3 - Our network has been infected and still infected by a virus that is
    using one of the
    pc's to generate lots of arp traffics which is affecting the whole
    network
    throughput.

    4 - my firewall is not blocking the icmp as:
    - conduit permit icmp any any
    - outbound permit x.x.x.x. x.x.x.x (internal network) icmp

    i already consulted the ISP, they did not block the ICMP request/respond

    packets. Even other customers connected to the same router of the ISP
    are
    able to do the ping but we can't.

    also i am unable to even ping the ip address of the router of the ISP!

    i would like to know if this is causing the unavailability of ping and
    https
    services? in other word, does flooding (if it is flooding) the arp table
    of
    the firewall wil cause this problem?
    suppositely that it is not because of firewall, could it be because of
    the
    switch ?

    Moreover, I am using the Kiwi Syslog Daemon software to audit logs of
    the pix firewall, but it is not giving anything on the screen as it is
    saying "unable to open UDP socket on port 514". And i am running kiwi on
    a winxp PC. Please tell me, is this issue related to the aboved
    mentioned issue or what? if not, how to resolve it, knowing that i
    installed Fport and it showed me that udp port is already used by the
    sytem, with no service name mentioned.

    I wish you are not confused with these junk of issues, maybe it is
    related maybe not, but all i want to say that it happened all at once,
    and i am not able to figure out what could be the resolution steps.

    thanks for any future input, and i really appreciate comming out with a
    solution.

    with regards,
    Hilal

    _________________________________________________________________
    Tired of spam? Get advanced junk mail protection with MSN 8.
    http://join.msn.com/?page=features/junkmail

    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Chris Ditri: "Re: [fw-wiz] Weird FW bridge stuff (Linux)"

    Relevant Pages

    • Re: SBS2008 Monitor internet usage
      ... You'll want to look at hardware with that configuration. ... a good firewall to properly protect your network from the outside world. ... > connected to the switch as well. ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS2008 Monitor internet usage
      ... protection at the moment beyond the very rudimentary pseudo-protection that ... a good firewall to properly protect your network from the outside world. ... connected to the switch as well. ...
      (microsoft.public.windows.server.sbs)
    • Re: Load-balancing across four T1s on 2 routers
      ... since you have everything redundant (2 routers from an ISP + ... switches + firewall with failover) why ONE ISP? ... switch will then see 2 UN-equal cost default routes in its routing ... lose a T1 - you lose the "whole" router because of OSPF. ...
      (comp.dcom.sys.cisco)
    • Re: Security Appliance With 12 Network Segments
      ... You configure some things in the firewall, ... therefore if somebody gets access to the switch he can't bypass ... why don't I have to label that one port? ... I configure it usually with an access list wth the network which is ...
      (comp.security.firewalls)
    • RE: Secure Network Design (DMZ, LAN, etc)
      ... You can't have separate subnets separated by a switch. ... is only because the firewall is going to be doing NAT in addition to ... > Subject: Re: Secure Network Design ...
      (Security-Basics)