2 pix firewalls and 2 networks

danny_bui · ‎06-08-2004

Hi all,

I'm trying to set up 2 separate networks, one for the office and one for the lab. The office LAN connects to the internet via a T1 and for the Lab LAN, I trying to set it up so it uses the DSL line to connect to the internet.

I have a PIX 520 that has 4 interfaces: inside=192.168.1.1 outside=:66.x.x.x, DMZ=192.168.3.1 and the LAB=192.168.4.1.

I also have a PIX 501 that is use in the lab. The "outside" interface connects to the DSL segment and the "inside" connect to the LAB segment (192.168.4.3)

On the PIX 501, I added a route for any traffic destined for 192.168.1.0 to 192.168.3.255, it will be forwarded to PIX 520's LAB interface. Any other internet traffic, it will use the DSL route.

I'm not able to get the Office LAN to talk to the LAB LAN. On the PIX 501, I keep getting the "deny inbound ( no Xlate)" message. Everything else work fine as independent LAN.

Please help me with this configuration. Thanks

Dan

patrick.cannon · ‎06-09-2004

How do you put traffic onto the lab segment? Are you using global/nat?

danny_bui · ‎06-09-2004

Hi Patrick,

Yes I'm using NAT to allow traffic from the Office segment(nat (inside) 1 0 0), into the LAB segment.

marksearle · ‎06-10-2004

Have you configured any necessary "static" statements which allow higher security level interfaces to talk to lower security level interfaces? (i.e. Office to LAB?).

Many Regards,

Mark Searle.

danny_bui · ‎06-10-2004

The traffic between the Office and the LAB is ok if I specify the PIX 520's LAB interface as the default gateway for the hosts in the LAB segment. Static and access-list allow them to communicate to the Office.

However, I am trying to put another firewall, PIX 501 in the the LAB to protect this segment from the DSL connection to the internet. This PIX 501's inside interface will connect to the LAB segment with the IP address 192.168.4.3. On this firewall, I added a static route to route traffic going to the office, to the other PIX firewall (192.168.4.1). Any other traffic, use the outside interface, which go through the DSL link.

When I use the 192.168.4.3 (PIX 501) as the default gateway for the hosts on the LAB segment, I can not connect to the Office. The log error is "10611 (no xlate) deny inbound traffic " Basically, the new pix(501) would not allow access. If i use 192.168.4.1 (pix 520) as the default gateway, it works fine.

Please help.

Thanks

Dan

marksearle · ‎06-10-2004

Sorry Dan, by configuring statics I don't mean static routes. Check out the following URL: http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html#wp1026694

The static command configures an address translation rule and essentially tells the PIX firewall what addresses should be translated, or not, where. The error message you are receiving seems to indicate that the PIX isn't sure about the translation it is supposed to do and so denys inbound traffic. Explicitly stating what characteristics (address ranges etc..), should or should not be affected by translation will allow the PIX to resolve this problem. Rather than static routes you might need "static" statements.

This is one of the most common problems that I tend to come across in configurations. Its a one-liner but it prevents the whole setup from working.

Please let me know if this helps.

Many Regards,

Mark Searle.