topic Re: Configuring PIX for a new interface in Network Security

Configuring PIX for a new interface

rcripe — Fri, 21 Feb 2020 09:07:03 GMT

I am attempting to set up a new interface on our PIX 525E so that we can replicate data over it for a disaster recovery site.

Internal addresses: 10.0.0.0 255.0.0.0

DR Site addresses: 192.168.0.0 255.255.255.0

External address: aaa.bbb.ccc.xxx (for privacy)

I've gone through the steps listed for configuring a PIX with multiple interfaces with NAT and PAT, but the traffic still isn't flowing.

We use VLANs on the internal network, but I don't think they affect the firewall or its interfaces.

Here's the config:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security4

nameif ethernet3 DRSite security90

hostname FIREWALL

domain-name xxxxxxx.com

names

name 10.0.0.26 neoteris

name 10.0.0.24 FP02

name 10.0.0.60 exchange

name 10.0.0.31 citrix

access-list dmz_access_in permit tcp any host aaa.bbb.ccc.106 eq citrix-ica

access-list dmz_access_in permit tcp any host aaa.bbb.ccc.105 eq smtp

access-list outside_access_in permit tcp any host aaa.bbb.ccc.106 eq citrix-ica

access-list outside_access_in permit tcp any host aaa.bbb.ccc.106 eq www

access-list outside_access_in permit tcp any host aaa.bbb.ccc.107 eq www

access-list outside_access_in permit tcp any host aaa.bbb.ccc.106 eq https

access-list outside_access_in permit tcp any host aaa.bbb.ccc.107 eq https

access-list outside_access_in permit tcp any host aaa.bbb.ccc.105 eq smtp

access-list outside_access_in permit icmp any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit ip any any

access-list dmz_outbound_nat0_acl permit ip any any

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

access-list DRSite_access_in permit tcp any any

access-list DRSite_access_in permit udp any any

access-list DRSite_access_in permit ip any any

access-list DRSite_access_in permit icmp any any

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu DRSite 1500

ip address outside aaa.bbb.ccc.2 255.255.255.0

ip address inside 10.255.0.254 255.255.255.0

ip address dmz 38.112.5.138 255.255.255.252

ip address DRSite 192.168.0.1 255.255.255.0

ip verify reverse-path interface outside

pdm location citrix 255.255.255.255 inside

pdm location exchange 255.255.255.255 inside

pdm location FP02 255.255.255.255 inside

pdm location 10.0.0.0 255.255.0.0 inside

pdm location 10.3.0.0 255.255.224.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 192.168.0.0 255.255.0.0 DRSite

pdm location 192.168.0.2 255.255.255.255 DRSite

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

global (DRSite) 1 192.168.0.2-192.168.0.200

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

nat (DRSite) 1 192.168.0.0 255.255.255.0 0 0

static (inside,dmz) aaa.bbb.ccc.107 neoteris netmask 255.255.255.255 0 0

static (inside,outside) aaa.bbb.ccc.107 neoteris netmask 255.255.255.255 0 0

static (inside,outside) aaa.bbb.ccc.108 exchange netmask 255.255.255.255 0 0

static (inside,outside) aaa.bbb.ccc.105 exchange netmask 255.255.255.255 0 0

static (inside,outside) aaa.bbb.ccc.106 citrix netmask 255.255.255.255 0 0

static (inside,dmz) aaa.bbb.ccc.106 citrix netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

access-group DRSite_access_in in interface DRSite

route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1

route inside 10.0.0.0 255.0.0.0 10.255.0.1 1

route DRSite 192.168.0.0 255.255.0.0 192.168.0.1 1

ntp server 192.5.41.40 source outside prefer

Re: Configuring PIX for a new interface

mmorris11 — Thu, 17 Aug 2006 17:56:54 GMT

You need:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

HTH pls rate!

Re: Configuring PIX for a new interface

rcripe — Thu, 17 Aug 2006 18:23:30 GMT

No luck. I still can't ping from one side to the other.

Here's my show route display now:

FIREWALL# show route

outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1 OTHER static

inside 10.0.0.0 255.0.0.0 10.255.0.1 1 OTHER static

inside 10.255.0.0 255.255.255.0 10.255.0.254 1 CONNECT static

dmz 38.112.5.136 255.255.255.252 38.112.5.138 1 CONNECT static

DRSite 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static

DRSite 192.168.0.0 255.255.0.0 192.168.0.1 1 OTHER static

outside aaa.bbb.ccc.0 255.255.255.0 aaa.bbb.ccc.2 1 CONNECT static

Re: Configuring PIX for a new interface

mmorris11 — Thu, 17 Aug 2006 18:50:08 GMT

My bad..

static (inside,DRSite) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside,DRSite) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Re: Configuring PIX for a new interface

rcripe — Thu, 17 Aug 2006 19:52:52 GMT

Ah, yeah, I should have noticed that too.

However, it still doesn't work. The second line conflicted with the global setting

global (DRSite) 1 192.168.0.2-192.168.0.200

So I tried it with the global setting and it didn't work. Then I removed the global setting and used the static you indicated and tried again. Still no luck.

Re: Configuring PIX for a new interface

mmorris11 — Thu, 17 Aug 2006 19:57:22 GMT

try after doing a clear xlate.

Re: Configuring PIX for a new interface

mmorris11 — Thu, 17 Aug 2006 20:01:34 GMT

Are you routing 10.255.0.x/24 properly such that the 192.168.0.x hosts will send the traffic to the pix for that subnet?

Run this debug while pinging from the DR box:

debug packet DRSite

term mon

and see if you see the pings hitting the pix.

-mike

Re: Configuring PIX for a new interface

sundar.palaniappan — Thu, 17 Aug 2006 22:46:52 GMT

Hi,

The PIX config looks good. Can you make sure the router or layer 3 switch connected to the inside network is forwarding the traffic to 192.168.0.0/24 subnet to the PIX and the devices/hosts on the DR subnet are using 192.168.0.1 as the gateway to get to your inside network. While you have been focusing your troubleshooting on PIX all this time it could be something as simple as a incorrect subnet mask setting on the host or might be a routing issue.

Another thing you could try is if you have a router hanging off of the PIX interfaces, enable 'debug ip icmp' on it to see if echo and echo-replies are being received and sent.

Good Luck!!

Regards,

Sundar