Re: Cisco Pix with two internal networks

kjanakiraman · ‎12-03-2002

Hi,

I have cisco pix 515 with 6.1 ios and i have three interface cards. One is connected to the external network and one to the internal and the other dmz. I have my internal nic ip 192.168.3.1 which is connected to the cisco router e0interface with ip 192.168.3.2 and the e1 interface is 192.168.1.165 behind which my inside network 192.168.1.x exists. In the other interface card i have the ip 192.168.12.1(called dmz) and behind that i have one server 192.168.12.2 both the network is going to the internet but i could not connect my internal network with the dmz. I need all the systems in 192.168.1.x network to access and connect to the systems in 192.168.12.x network .

Can some one advice me how to implemet

Thanks in Advance

tvanginneken · ‎12-04-2002

Hi,

did you use any kind of ip-translation commands between the inside network and the dmz? This is absolutely necessary to make traffic go from the inside to the dmz.

You can use two types of translation:

** dynamic (the source addresses are replaced with 192.168.12.3 in this case):

nat (inside) x 0.0.0.0 (this command is probabely already in place)

global (dmz) x 192.168.12.3 (or another free ip address on the dmz)

** static (source addresses are not translated, this is called 'netstatic')

static (inside,outside) 192.168.1.0 192.168.1.0

If you have any more question, don't hesitate to post them. Maybe you could post the config (!!no passwords or public address!!!)

Kind Regards,

Tom

kjanakiraman · ‎12-04-2002

Thanks a lot for your reply.

I added two access-list statemnt

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat permit ip 192.168.12.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list no nat

inside network is 192.168.1.0 and the dmz network is 192.168.12.0 But still i could no ping between the two networks.

As i had told that i have a router between the inside pix and the LAN. The pix internal card ip is 192.168.3.1 and it connected directly using cross over cable to the eo internface of the cisco router with ip 192.168.3.2 and the e1 ip is 192.168.1.165.

Should i add two more access-list in the Cisco pix for 192.168.3.0 and 192.168.12.0? Like the one i did for 192.168.1.0 and 192.168.12.0 for the two networks to communicate? Should i need to any addditional Statements in my internal router that is connected to the LAN.

Thanks in Advance

bdube · ‎12-04-2002

Hi,

First, you don't need to make nonat in both ways if only one side is initiating the communication. It seems all communications are initiated from inside to DMZ, then use only nat (inside) 0 access-list nonat.

Second, you didn't mention the route statement you should have configured in your PIX to be able to reach the network behind the router (192.168.1.x) the statement shold be like this:

route inside 192.168.1.0 255.255.255.0 192.168.3.2

Third, are you trying to access the hosts based on their host name or their IP address ? If it's based to host name, be sure you don't need aliases.

Ben

dawsonpa · ‎12-04-2002

THIS WILL ALLOW CONNECTIONS INITIATED OUTBOUND **TO** THE DMZ:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

nat (inside) 0 access-list nonat

THIS WILL ALLOW CONNECTIONS INITIATED INBOUND **FROM** THE DMZ:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

YOU WILL HAVE TO ADD A ROTE TO YOUR INTERNAL NETWORK:

route inside 192.168.1.0 255.255.255.0 192.168.3.2

NOW YOU WILL HAVE TO ADD AN ACL TO ALLOW THE CONNECTIONS **FROM** THE DMZ TO THE INSIDE:

access-list dmz_IN permit eq

kjanakiraman · ‎12-05-2002

Thanks guys for your reply. I have already a route inside statement. I removed all the previous statements and tried as per your advice but still when i try to ping 192.168.12.1(dmz interface of the firewall) from a system 192.168.1.0 i am getting request timed out.

To allow connection from dmz to inside i added

access-list dmz_in permit ip 192.168.12.0 255.255.255.0 192.168.1.0 255.255.255.0 but still then it does not work. After i ping from inside to the dmz zone when i check the access -list in the pix and on the access-list nonot permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0 i am seeing hit counts so it is going to the firewall but no further from there to the dmz.

tvanginneken · ‎12-05-2002

Hi,

when you try to ping the dmz from an internal host, the pix handles the 'ping-reply' packets as a new connection from the dmz to your internal network. You should create an icmp access-list list that allows icmp (like ping replies) from your dmz to your inside network.

Create an access-list for icmp and apply it to the dmz interface:

access-list some_name permit icmp 192.168.12.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group some_name in interface dmz

This should allow the ping-reply packets from your dmz to your internal network.

Kind Regards,

Tom

kjanakiraman · ‎12-05-2002

Thanks a lot it is working fine. I could connect from my inside network to dmz. but not from dmz to inside and i need to configure the pix the same way i did from connecting from inside to dmz. Thanks a lot for your help.

tvanginneken · ‎12-05-2002

Hi,

could you please remove those lines immediately:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat permit ip 192.168.12.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list no nat

and replace them with:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Also make sure there is a route to your internal network:

route inside 192.168.1.0 255.255.255.0 192.168.3.2

You shoud not use the nat 0 command, unless it is absolutely necessary (in VPN configs). You shouldn't do it because it bypasses the NAT engine and may cause undesirable effects. This pix 'likes' to translate packets. With the 'static' command, the packets go into the nat engine, the source address is remove and replaced, in this case, with the same source address.

Kind Regards,

Tom