topic Re: PIX routing between VLANS in Network Security

PIX routing between VLANS

jmarr — Fri, 21 Feb 2020 07:50:17 GMT

I’m trying to configure the following

I have a Pix525 with 3 physical interfaces. The DMZ interface is configured for VLANS. Only 2 vlans are used, native (matching up to VLAN1 on my switch) is used for my DMZ servers and VLAN 55 is used to connect to a VPN 3005. A /30 is used to number VLAN 55 on the PIX to the private interface on the VPN 3005. A /24 is statically routed from the PIX, pointing to the IP address on private interface for use by various VPN clients.

My problem is that when I try to access anything from the VPN client /24 going to the DMZ interface, I get this error in the firewall log:

%PIX-6-110001: No route to 10.101.0.5 from 10.1.2.2

I can access everything from the VPN on the internal interface, I can’t figure out what’s misconfigured.

The security setting for the interfaces are configured as follows:

dmz = 50

vpn = 25

Any help will be greatly appreciated.

Re: PIX routing between VLANS

arousch.sprint — Mon, 03 Jan 2005 20:27:05 GMT

Call me nutty - but I'm guessing the PIX has no route between those 2 subnets 🙂 How are you routing between the 2 VLANS?

Re: PIX routing between VLANS

svuorilehto — Wed, 05 Jan 2005 07:53:40 GMT

Hi,

I have exactly same problem. We have dmz-interface, 2 vlans used. Physical vlan is 100 (DMZ) and logical 200 (DMZ2).

Security levels are:

DMZ = 50

DMZ2 = 60

When connecting from DMZ2 to DMZ I get that 110001 log message saying there's no route from DMZ2 to DMZ...

When connecting from DMZ to DMZ2, I get "Built outbound TCP connection" -message saying that connection is built, but right after comes "Deny TCP (no connection)" -message...

sh route -command gives following output regarding to those interfaces:

C 10.100.100.0 is directly connected, DMZ

C 10.200.200.0 is directly connected, DMZ2

So I'd say that those should see each other...

Following traffic goes alright:

DMZ --> Inside

DMZ2 --> Inside

DMZ --> Outside

DMZ2 --> Outside

Access-lists and nat/globals are configured so that everything should work, but...

Is this some sort of bug? Can't PIX route traffic on vlans? I'm puzzled, please if someone has any suggestions I'd be very delighted...

*******

Saska

Re: PIX routing between VLANS

klwilson — Thu, 06 Jan 2005 00:48:05 GMT

Our PIXs route fine vlan-vlan. Our configuration is

interface ethernet3 vlan90 physical

interface ethernet3 vlan96 logical

interface ethernet3 vlan97 logical

interface ethernet3 vlan98 logical

nameif ethernet0 inside security100

nameif ethernet1 Failover security80

nameif ethernet2 StateFull security85

nameif ethernet3 v security0

nameif vlan96 x security25

nameif vlan97 y security50

nameif vlan98 z security0

whereas vlan90 isn't a traffic carying vlan. So difference would be you're routing between physical to logical; I'm routing between logical to logical. You might try to convert vlan 100 to a logical vlan, see if it makes a difference.

Re: PIX routing between VLANS

svuorilehto — Fri, 07 Jan 2005 07:48:25 GMT

Hi there, and thanks for the answer!

I tried that change from physical to logical, but still no effect...

What PIX version are you using? We have 6.3(1).

*******

Saska

Re: PIX routing between VLANS

klwilson — Mon, 10 Jan 2005 17:31:07 GMT

6.3(3). Can you post a config to look at?

Re: PIX routing between VLANS

svuorilehto — Tue, 11 Jan 2005 07:29:25 GMT

Hi and thanks,

Here's our config, at least strongly edited one... I have included lines I think are relevant, if there are any others you would like to examine, please let me know.

There are no route lines, because both interfaces are directly connected.

*******

Saska

----------------clip--------------------

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet2 vlan200 logical

interface ethernet2 vlan100 logical

interface ethernet3 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf7 security14

nameif ethernet3 intf3 security15

nameif vlan200 DMZ2 security60

nameif vlan100 DMZ security50

no ip address intf3

no ip address intf7

ip address DMZ2 10.200.200.1 255.255.255.224

ip address DMZ 10.100.100.1 255.255.255.0

arp timeout 14400

nat (inside) 0 access-list NO_NAT_INSIDE

nat (DMZ2) 0 10.200.200.0 255.255.255.224 0 0

nat (DMZ) 0 access-list NO_NAT_DMZ

static (inside,DMZ2) 10.18.0.0 10.18.0.0 netmask 255.255.0.0 0 0

static (DMZ2,DMZ) 10.200.200.0 10.200.200.0 netmask 255.255.255.224 0 0

----------------clip--------------------