topic Re: Pix routing to internal networks in Network Security

Pix routing to internal networks

sarat1317 — Mon, 11 Mar 2019 15:37:44 GMT

Hello

I have a PIX 515E on 6.3(4) version with internal network 192.168.20.1/24. This is connected to switch and workstations on the switch with GW 192.168.20.1

I also have another internet network 172.24.10.x which is connected via the main switch to Cisco 3750. This is as below

Pix (192.168.20.1) - switch (192.168.20.2) - internet

| |

| -----------------------------|

| |

PC (192.168.20.100) Layer 3 switch(172.24.10.1)

A VLAN is created on 3750 with 192.168.20.3 and workstation has 172.24.10.100 with GW 172.24.10.1

I added static routes on my pix and 3750

PIX - route inside 172.24.10.0 255.255.255.0 192.168.20.3

3750 - ip route 192.168.20.0 255.2555.255.0 192.168.20.1

I can ping 192.168.20.3, 172.24.10.1, 172.24.10.100 from the pix unit but not from workstation 192.168.20.100

Can someone suggest on this?

Is this something to do with same-security-inter interface command?

Thank you

Re: Pix routing to internal networks

John Blakley — Fri, 29 May 2009 20:23:21 GMT

You can ping from the pix:

192.168.20.3 (vlan svi)

172.24.10.1 (other vlan svi)

172.24.10.100 (workstation?)

Is the 192.168.20.100 device a workstation on the pix side?

A couple of things to check:

If the 192.168.20.100 is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?

HTH,

John

Re: Pix routing to internal networks

sarat1317 — Sat, 30 May 2009 12:51:02 GMT

172.24.10.100 (workstation?)

>> Yes this is a workstation on vlan1 (172.24.10.1) of 3750 switch

Is the 192.168.20.100 device a workstation on the pix side?

>> Correct

A couple of things to check:

If the 192.168.20.100 is a host, can you ping any of the first 3 addresses from that workstation, or do they all stop at the firewall?

>> I can only ping the VLAN IP 192.168.20.3 but not other IPs. A trace from this workstation fails very first hop. Same thing when I trace 192.168.20.100 from 3750 with source interface 172.24.10.1

I actually replaced a netgear router with the pix unit and that is when this problem started. I had the same inside routes on the netgear unit and worked fine.

Thank you

Re: Pix routing to internal networks

sarat1317 — Tue, 02 Jun 2009 15:16:26 GMT

Please ignore my previous messages. Here is the updated design attached and I should be able to communicate between 192.168.20.x and 172.24.10.x networks.

Thanks in advance

Re: Pix routing to internal networks

sarat1317 — Tue, 02 Jun 2009 15:35:41 GMT

Attached

Re: Pix routing to internal networks

John Blakley — Tue, 02 Jun 2009 15:38:57 GMT

Can you post the routing table from the 3750 and the PIX?

HTH,

John

Re: Pix routing to internal networks

sarat1317 — Tue, 02 Jun 2009 19:32:58 GMT

PIX# sh route

outside 0.0.0.0 0.0.0.0 1 OTHER static

outside x.x.x.x 255.255.255.252 1 CONNECT static

inside 172.24.10.0 255.255.255.0 192.168.20.3 1 OTHER static

inside 192.168.20.0 255.255.255.0 192.168.20.1 1 CONNECT static

3750-S1#sh ip route 192.168.20.100

Routing entry for 192.168.20.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 1024

Routing Descriptor Blocks:

* directly connected, via Vlan10

Route metric is 0, traffic share count is 1

3750-S1#sh ip route | i 192.168.20.0

C 192.168.20.0/24 is directly connected, Vlan10

Re: Pix routing to internal networks

John Blakley — Tue, 02 Jun 2009 19:41:37 GMT

What happens if you try to ping the pix from the 3750 while sourcing from your 172.24.10.1 address? Does it fail? If you can ping from the pix to the host on the 172.24.10.100 address, you *should* be able to ping the pix from the same host.

If you trace the packet from the 172.24.10.100 host, where does it fail? Does it get past the 3750?

John

Re: Pix routing to internal networks

Jon Marshall — Tue, 02 Jun 2009 20:02:57 GMT

Sarat

Your topology won't work.

With pix v6.x you cannot route traffic back out of the interface that the traffic entered on eg.

your client 192.168.20.100 has a default-gateway of 192.168.20.1 ie. the pix. So when it tries to ping any destination on 172.24.10.x the traffic is sent to the pix. But the pix cannot then send the traffic back out the same interface it was received on. And that's what the pix needs to do.

Solutions with the pix -

1) If you have a spare interface on the pix use that so the traffic doesn't have to routed back out the same interface

2) Upgrade your pix to v7.x or v8.x. With these versions of code there is a feature called hair-pinning which allows you to route traffic back out of the same interface it was received on.

Note v7.x/8.x code upgrade may well require you to upgrade the memory on your pix.

Jon

Re: Pix routing to internal networks

John Blakley — Tue, 02 Jun 2009 20:05:29 GMT

I learn something every day Jon. I rated you 🙂

John

Re: Pix routing to internal networks

Jon Marshall — Tue, 02 Jun 2009 20:11:22 GMT

"I learn something every day Jon"

Yep, so do i, keeps things interesting 🙂

Thanks for the rating.

Jon

Re: Pix routing to internal networks

sarat1317 — Thu, 04 Jun 2009 12:07:16 GMT

Thanks Jon. I had the same thought and indicated same security command in my first post and you confirmed that with a good explanation.

For some reason I could not upgrade to 7.x. Please find my post on this below.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cd2b6eb

However though not a good solution I could get this working for by adding a static route on 192.168.20.100 pointing to the VLAN IP.

route -p ADD 172.24.10.0 MASK 255.255.255.0 192.168.20.3

But I still want to get this right upgrading to 7.x.

Please advise