topic Re: Help with Pix lab using sub interfaces in Network Security

Help with Pix lab using sub interfaces

jamesgonzo — Mon, 11 Mar 2019 15:29:37 GMT

Hi,

I hope you can spend a little of your time helping my fix this lab scenario.

What my goal is for my laptop on 192.168.3.20 (inside of pix) to be able to connect to 10.100.0.61/27 which is a loopback on my pretend New York router.

I have the following equipment:

Pix (HQ)

3550 (VLANs)

2 x 2620 routers (on VLAN 7 this my remote office link via serial back-to-back on RIPv2)

The 3550 is connect to the Pix on fas 0/1 and set as a trunk. On the Pix I have setup Ethernet 2 as a sub-interface port. I have created Ethernet 2.7 (192.168.2.1) for my VLAN 7 where my router is connected to (192.168.2.2).

What I have working so far is the 2 routers via the serial link, RIPv2 is working and loopback 10.100.0.61 can ping 192.168.2.2 (routerhq), but not 192.168.2.1 (pix sub-int) on anthing on the inside.

My laptop can ping 192.168.3.250 (3550 VLAN 2), but not any of the routers or the Pix sub-interface of 192.168.2.1.

The problem I can't figure out is my inside LAN of 192.168.3.0/24 can't get to any of the routers or VLAN 7 it seems.

I put in some IP any any rules which didn't help and have checked the routes, and added some NAT exempts.

I think I need a fresh pair of eyes as I'm sure I have confused myself somewhere.

Re: Help with Pix lab using sub interfaces

Jon Marshall — Sat, 09 May 2009 20:14:46 GMT

James

Can you post

1) "sh ip route" from 2620 routers + 3550

2) "sh route" from pix.

Can you ping 3550 vlan 7 address 192.168.2.250 from office router ?

Jon

Re: Help with Pix lab using sub interfaces

jamesgonzo — Sat, 09 May 2009 20:54:58 GMT

Jon,

Thanks for finding the time to help me here.

1.)

Router_WAN_Office#

Gateway of last resort is not set

172.16.0.0/30 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Serial0/1

10.0.0.0/27 is subnetted, 1 subnets

C 10.100.0.32 is directly connected, Loopback0

R 192.168.2.0/24 [120/1] via 172.16.1.1, 00:00:27, Serial0/1

RouterHQ#

Gateway of last resort is not set

172.16.0.0/30 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Serial0/1

10.0.0.0/27 is subnetted, 1 subnets

R 10.100.0.32 [120/1] via 172.16.1.2, 00:00:22, Serial0/1

C 192.168.2.0/24 is directly connected, FastEthernet0/0

RouterHQ#

C3550#

Gateway of last resort is 192.168.3.1 to network 0.0.0.0

C 192.168.2.0/24 is directly connected, Vlan7

C 192.168.3.0/24 is directly connected, Vlan2

S* 0.0.0.0/0 [1/0] via 192.168.3.1

C3550#

2.)

mypix#

Gateway of last resort is not set

S 10.100.0.32 255.255.255.224 [1/0] via 192.168.2.2, DMZ3

C 192.168.2.0 255.255.255.0 is directly connected, DMZ3

C 192.168.3.0 255.255.255.0 is directly connected, Inside

mypix#

3.)

Nope.

4.)

From my laptop on 192.168.3.20:

C:\>ping 192.168.2.250

Pinging 192.168.2.250 with 32 bytes of data:

Request timed out.

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Request timed out.

C:\>ping 192.168.3.2

Pinging 192.168.3.2 with 32 bytes of data:

Reply from 192.168.3.2: bytes=32 time<1ms TTL=255

I now realise my routers are not aware of the 192.168.3.x/24 LAN as I have no routes, before I mess about with anything I'll just had back to you as I'm not sure if I can use RIP or just do some static routes.

Re: Help with Pix lab using sub interfaces

Jon Marshall — Sat, 09 May 2009 21:12:24 GMT

James

If your 3550 is routing which it is why not set the default-gateway on your client to be the L3 vlan interface on the 3550 ie. 192.168.3.2 ? That would automatically allow you to ping 192.168.2.250 on the same switch.

As for pinging the other routers HQ & office then yes you will need to make them aware of 192.168.3.0/24 network. Easiset way to do this would be to configure RIP on the 3550.

The 3550 could still have the default-route set to 192.168.3.1 on the pix for any unknown ie. Internet addresses.

Is there a reason why the laptop has it's DG set to the pix rather than the 3550 ?

Jon

Re: Help with Pix lab using sub interfaces

jamesgonzo — Mon, 11 May 2009 12:05:16 GMT

Hi Jon,

Sorry for the delay I didn't get the email notification for some reason.

The following morning I enabled RIPv2 on the pix and advertised the subnets and all worked! Never tried that before. A fresh head helped, but when you asked for the routes it twigged that the routers (WAN) had no idea of the subnets on the Pix, so thanks!

1.) Does it matter if I have the Rip on the Pix or 3550? Just want to make sure.

2.) I set the DG of the laptop to the Pix as my work do the same, best to use the 3550?

3.) One last request, imagine the remote office on the 10.100.0.32/27 network already has another network on 192.168.3.0/24 somewhere? Is it possible to NAT my 192.168.3.0/24 LAN to say 192.168.4.0/24? I don't know how to do Dynamic NAT or static NAT, I guess I would need to advertise the new route aswell?

Thanks again