topic pix overlapping networks in Network Security

pix overlapping networks

mohammed.ibrahim — Fri, 21 Feb 2020 07:51:30 GMT

Have overlapping network 172.16.9.0. Trying to follow the link according to which this scenario will work.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113571

The scenario is not working. This is what I found. Want to make sure I have not missed anything.

BB1 (172.16.9.111)-> 172.16.9.0 -> (172.16.9.11)(inside)pix(outside)(172.16.15.11) -> 172.16.15.0 -> (172.16.15.1)(e0)CCIErouter1(loopback0)

Have the following

pixfirewall(config)# sh static

static (inside,outside) 172.16.99.0 172.16.9.0 netmask 255.255.255.0 0 0

static (outside,inside) 172.16.99.0 172.16.9.0 netmask 255.255.255.0 0 0

pixfirewall(config)# sh route

outside 0.0.0.0 0.0.0.0 172.16.15.1 1 OTHER static

outside 172.16.9.0 255.255.255.128 172.16.15.1 2 OTHER static

outside 172.16.9.128 255.255.255.128 172.16.15.1 2 OTHER static

inside 172.16.9.0 255.255.255.0 172.16.9.11 1 CONNECT static

outside 172.16.15.0 255.255.255.0 172.16.15.11 1 CONNECT static

inside 192.168.53.0 255.255.255.0 172.16.9.254 1 OTHER static

pixfirewall(config)# sh ip add

System IP Addresses:

ip address outside 172.16.15.11 255.255.255.0

ip address inside 172.16.9.11 255.255.255.0

no ip address dmz

Current IP Addresses:

ip address outside 172.16.15.11 255.255.255.0

ip address inside 172.16.9.11 255.255.255.0

no ip address dmz

See the foll debug

R6-PR14-SRBB1#ping 172.16.99.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.99.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R6-PR14-SRBB1#

pixfirewall(config)# 437: ICMP echo-request from inside:172.16.9.111 to 172.16.99.1 ID=2514 seq=7346 length=80

438: ICMP echo-request: translating inside:172.16.9.111 to outside:172.16.99.111

439: ICMP echo-request: untranslating inside:172.16.99.1 to outside:172.16.9.1

440: ICMP echo-reply from outside:172.16.9.1 to 172.16.99.111 ID=2514 seq=7346 length=80

441: ICMP echo-reply: translating outside:172.16.9.1 to inside:172.16.99.1

442: ICMP echo-reply: untranslating outside:172.16.99.111 to inside:172.16.9.111

443: ICMP echo-request from inside:172.16.9.111 to 172.16.99.1 ID=2515 seq=7346 length=80

R6-PR16-SR1#

003666: Jan 8 14:16:07.257 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111

R6-PR16-SR1#

003667: Jan 8 14:16:09.257 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111

R6-PR16-SR1#

003668: Jan 8 14:16:11.261 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111

R6-PR16-SR1#

003669: Jan 8 14:16:13.257 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111

R6-PR16-SR1#

003670: Jan 8 14:16:15.261 CST: ICMP: echo reply sent, src 172.16.9.1, dst 172.16.99.111

R6-PR16-SR1#

Re: pix overlapping networks

turnbull — Sun, 09 Jan 2005 09:57:36 GMT

Hi Mohammed,

The debugs look ok. The only thing I can think of without seeing the whole config is the ACL for the return ping packet. Is there an entry in the inbound access list permitting the icmp echo-reply? ICMP does not create a stateful entry. Try telnet to the router as this should work without the need for an access list inbound on the PIX and will prove if the connection is ok.

Cheers,

Paul.

Re: pix overlapping networks

mohammed.ibrahim — Sun, 09 Jan 2005 20:54:56 GMT

Paul,

I have a static entry and expilictly allowed icmp using an outside access-list

Here is the config for reference

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxx

passwd xxxxx

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outsidein permit icmp any any

pager lines 24

logging monitor debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 172.16.x x.255.255.0

ip address inside 172.16.9.11 255.255.255.0

no ip address dmz

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm history enable

arp timeout 14400

static (inside,outside) 172.x.x.x.16.9.0 netmask 255.255.255.0 0 0

static (outside,inside) 172.x.x.x.16.9.0 netmask 255.255.255.0 0 0

access-group outsidein in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.15.1 1

route outside 172.16.9.0 255.255.255.128 172.16.15.1 2

route outside 172.16.9.128 255.255.255.128 172.16.15.1 1

route inside 192.168.53.0 255.255.255.0 172.16.9.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.0 255.255.0.0 inside

telnet 192.168.0.0 255.255.0.0 dmz

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

pixfirewall(config)#

Re: pix overlapping networks

turnbull — Mon, 10 Jan 2005 12:12:03 GMT

Hi Mohammed,

I see the problem now. The thing is that the config as it stands will not work. There needs to be more separation between the networks. I think it is possible the PIX is becoming confused with regard to routing the return packets. There needs to be another address range used to enable the connectivity and this must be the address utilised in the communication.

Try changing the translated address to something else:

eg.

static (inside,outside) 172.16.100.0 172.16.9.0 netmask 255.255.255.0 0 0

static (outside,inside) 172.16.100.0 172.16.9.0 netmask 255.255.255.0 0 0

Then ping 172.16.100.1

The source of 172.16.9.111 will be translated to 172.16.100.111

The dest address of 172.16.100.1 will be translated to 172.16.9.1 with the return traffic translated vice versa.

The router needs a static route pointing to the PIX for the 172.16.100.0/24 subnet.

Cheers,

Paul