topic VLAN through PIX in Network Security

VLAN through PIX

laner61 — Tue, 12 Mar 2019 01:11:29 GMT

I’m adding a Cisco 1140 access point to my wired network. It is mostly for guest access, though I’m also carving out access for employees with wireless devices accessing our company resources.

The issue I seem to be having is with getting to the internet.

Here’s our setup: 1140 AP connected to a 2960 switch connected to a PIX506E, running 6.3(5). A single MS server is DC for our company.

I setup two VLANs on the switch, internal and Guest. Our IP scheme is 192.168.102.0/24 for internal and 192.168.101.0/24 for guest access. The AP also has the same two VLANs configured. The AP passes DHCP to the switch for addresses, but only for guests. The wired company users get DHCP from the MS server. The PIX is directly connected to our ISP’s device. The PIX is configured with the 2nd VLAN on a logical interface.

My suspicion is that NAT is keeping the Guest VLAN from getting out.

Configs:

***

AIR-AP1141N-AK9:

Current configuration : 2393 bytes

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

hostname Joe

enable secret 5 gobbledygook

ip domain name mydomain.com

ip name-server 201.11.64.2

ip name-server 201.11.64.3

dot11 vlan-name Guest vlan 2

dot11 ssid Center

vlan 1

authentication open

dot11 ssid CenterGuest

vlan 2

authentication open

guest-mode

username Cisco password 7 112A1016141D

bridge irb

interface Dot11Radio0

no ip address

no ip route-cache

ssid Center

ssid CenterGuest

antenna gain 0

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

interface Dot11Radio0.2

encapsulation dot1Q 2

ip helper-address 192.168.102.5

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

interface GigabitEthernet0.2

encapsulation dot1Q 2

ip helper-address 192.168.102.5

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

interface BVI1

ip address 192.168.102.1 255.255.255.0

no ip route-cache

ip default-gateway 192.168.102.5

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

line con 0

password 7 gobbledygook

line vty 0 4

end

***

Relevant config from switch:

ip dhcp excluded-address 192.168.101.1

ip dhcp pool Guest

network 192.168.101.0 255.255.255.0

default-router 192.168.101.1

domain-name centerpt.org

dns-server 208.88.64.2 208.88.64.3 68.67.112.4 8.8.8.8

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

interface FastEthernet0/9

description AP

switchport trunk allowed vlan 1,2

switchport mode trunk

switchport nonegotiate

interface FastEthernet0/19

description PIX

switchport trunk allowed vlan 1,2

switchport mode trunk

switchport nonegotiate

spanning-tree portfast

interface Vlan1

description Native

ip address 192.168.102.5 255.255.255.0

no ip route-cache

interface Vlan2

description VLAN for guest access only

ip address 192.168.101.1 255.255.255.0

no ip route-cache

ip default-gateway 192.168.102.2

ip http server

no ip http secure-server

etc…

***

PIX config

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

ip address outside xx.x.xxx.xxx 255.255.255.224

ip address inside 192.168.102.2 255.255.255.0

ip address intf3 192.168.101.2 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

global (outside) 1 interface

global (inside) 1 192.168.101.10-192.168.101.254 netmask 255.255.255.0

global (intf3) 1 192.168.101.10-192.168.101.254 netmask 255.255.255.0

nat (inside) 1 access-list inside_outbound_nat0_acl 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (intf3) 1 access-list inside_outbound_nat1_acl 0 0

nat (intf3) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xx 1

route outside 0.0.0.0 0.0.0.0 192.168.102.6 150

etc…

Users connecting to the Guest VLAN on the AP can ping both the VLAN 2 on the switch and the PIX: 192.168.101.1 and 192.168.101.2, respectively. They cannot ping outside to DNS servers or anything past the PIX. Wired users have not had any problems at all.

What do you think?

Thanks,

Lane

VLAN through PIX

Jennifer Halim — Thu, 07 Mar 2013 23:41:55 GMT

To start with, please kindly remove the following 2 statements:

global (inside) 1 192.168.101.10-192.168.101.254 netmask 255.255.255.0

global (intf3) 1 192.168.101.10-192.168.101.254 netmask 255.255.255.0

Then "clear xlate"

Also advise what you have configured for ACL: inside_outbound_nat1_acl

Re: VLAN through PIX

laner61 — Fri, 08 Mar 2013 02:25:31 GMT

I believe the ACL is "permit 192.168.101.10-192.168.101.254 0 0"

Actually, it's "access-list inside_outbound_nat1_acl permit ip any 192.168.101.0 255.255.255.0"

Message was edited by: Lane Richardson

VLAN through PIX

laner61 — Fri, 08 Mar 2013 15:00:16 GMT

Alright, this is weird. As I look over the config for the PIX I previously posted, there are some very relevant lines that didn't make it in the post. Perhaps I edited somehow - I was in a hurry before I left for the day. Here's a better representation of the config, after removing the global commands you've suggested:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan2 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan2 intf3 security6

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list inside_outbound_nat0_acl permit ip any 192.168.102.0 255.255.255.0

access-list inside_outbound_nat1_acl permit ip any 192.168.101.0 255.255.255.0

ip address outside xx.x.xxx.xxx 255.255.255.224

ip address inside 192.168.102.2 255.255.255.0

ip address intf3 192.168.101.2 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

global (outside) 1 interface

nat (inside) 1 access-list inside_outbound_nat0_acl 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (intf3) 1 access-list inside_outbound_nat1_acl 0 0

nat (intf3) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.102.4 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.102.4 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.102.4 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.102.4 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 4125 192.168.102.4 4125 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pptp 192.168.102.4 pptp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 987 192.168.102.4 987 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3390 192.168.102.11 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface imap4 192.168.102.4 imap4 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3391 192.168.102.29 3389 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xx 1

route outside 0.0.0.0 0.0.0.0 192.168.102.6 150

timeout xlate 0:05:00

http server enable

http 192.168.102.0 255.255.255.0 inside

http 192.168.101.0 255.255.255.0 inside

Jennifer, removing the global commands and clearing xlate did not (on it's own) resolve the issue - though I did note your "To start with" disclaimer. I would imagine the bolded lines above would have some bearing on the issue.

Thanks,

Lane

VLAN through PIX

Jennifer Halim — Sat, 09 Mar 2013 00:45:00 GMT

The access-list both on the inside and intf3 interface is incorrect, and you don't need those NAT statements anyway, and can be removed as you already have "nat (intf3) 1 0.0.0.0 0.0.0.0" and "nat (inside) 1 0.0.0.0 0.0.0.0"

Please remote fhe following:

nat (inside) 1 access-list inside_outbound_nat0_acl 0 0

nat (intf3) 1 access-list inside_outbound_nat1_acl 0 0

Further to that, you should also remove the folloiwng route statement as it is incorrect:

route outside 0.0.0.0 0.0.0.0 192.168.102.6 150

Then "clear xlate".

Also just re-look into your DHCP configuration, the default router configured should be the PIX intf3 interface IP, instead of the switch since your switch is not configured with any routes.

ip dhcp pool Guest

network 192.168.101.0 255.255.255.0

default-router 192.168.101.2

domain-name centerpt.org

dns-server 208.88.64.2 208.88.64.3 68.67.112.4 8.8.8.8

VLAN through PIX

laner61 — Mon, 11 Mar 2013 14:11:25 GMT

Jennifer, that did the trick! So it was a combination of correcting the NAT and the default router for DHCP?

Also, I left the other route in - it points to another router in our network used for VOIP and is there as a backup in case our primary ISP goes down. The tech support at our VOIP vendor was the one that suggested the backup route.

Thanks very much!

Lane

VLAN through PIX

Jennifer Halim — Mon, 11 Mar 2013 20:47:25 GMT

Correct, it is combination of NAT and default router for DHCP that did the trick.

For the backup route, currently it is:

route outside 0.0.0.0 0.0.0.0 192.168.102.6 150

It is pointing to the outside, however, your next hop is the inside interface subnet, so it is never going to work. The next hop should be IP Address in the same subnet as your outside interface.

VLAN through PIX

laner61 — Mon, 11 Mar 2013 20:55:33 GMT

I think I follow you. Since the VOIP provider's T-1 router is connected to one of my switch's ports (for voice VLAN access), are you saying there will never be a way that this router will be able to act as backup? They assigned their router's LAN interface in my subnet specifically so the phones could connect. It almost sounds like I need a router to go between my switch and their router as well as my firewall...

Thanks,

Lane

VLAN through PIX

Jennifer Halim — Mon, 11 Mar 2013 21:32:28 GMT

If the VOIP provider's T1 router is connected to your voice VLAN directly, does the voice traffic even traverse the FW?

VLAN through PIX

laner61 — Mon, 11 Mar 2013 21:55:16 GMT

No, the VOIP traffic does not go out the firewall. There's a T-1 for voice only that their router is connected to. Our web services are through our own ISP. However, we did try to explore using both outside networks as backup for each other. In case our T-1 went down, we'd wanted our phones to take our ISP's route as an automatic alternate. If our ISP went down, we wanted our internal network to go out the T-1. It never did work...

VLAN through PIX

Jennifer Halim — Mon, 11 Mar 2013 21:59:52 GMT

Ahh OK, got it. Might need to look at your topology diagram to see how they are all connected.

If T1 went down, you might want to set a backup route there to point it to the ASA inside interface, and has a static route on your ASA inside for the voice subnet to point to the router.