Guest VLAN access to internet through PIX

jcowtan · ‎06-14-2004

I am setting up a Guest VLAN 25 to provide isolated access to the internet. It is not to have access to any internal networks. This VLAN is configured to give out DHCP addresses on a 192.168.25.0/24 subnet.

The operational VLAN 1 is on 10.1.0.0/16.

I have set up a trunk between a 3750 and the PIX. Guest security is at 50.

However, from the user station (which did get an IP from the DHCP Pool), I can not ping the gateway for the Guest VLAN, nor can I access external IPs.

The switch shows the trunk operational with VLAN 1 and 25. The PIX shows VLAN 25 active (DHCP gave out an address).

What am I missing. What is preventing VLAN 25 from getting outside?

Here is the PIX config I was using along with the 3750 trunk interface I am using.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan25 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan25 guest security50

......

names

name 10.2.0.0 Ac

name 10.3.0.0 Oc

name 10.1.0.0 Wc

name 192.168.25.0 guest

access-list inside_outbound_nat0_acl permit ip Wc 255.255.0.0 Oc 255.255.0.0

access-list inside_outbound_nat0_acl permit ip Wc 255.255.0.0 Ac 255.255.0.0

access-list inside_outbound_nat0_acl permit ip Wc 255.255.0.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_20 permit ip Wc 255.255.0.0 Ac 255.255.0.0

access-list outside_cryptomap_40 permit ip Wc 255.255.0.0 Oc 255.255.0.0

pager lines 24

logging on

logging timestamp

logging buffered warnings

icmp permit any outside

icmp permit any inside

icmp permit any guest

mtu outside 1500

mtu inside 1500

ip address outside 64.4.68.226 255.255.255.252

ip address inside 10.1.1.31 255.255.0.0

ip address guest 192.168.25.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.11-192.168.1.50

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 64.4.68.225 1

route inside guest 255.255.255.0 64.4.68.225 1

....

ntp server 10.1.1.11 source inside prefer

http server enable

http Wc 255.255.0.0 inside

....

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 65.82.40.234

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 199.243.164.234 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 65.82.40.234 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn-sc-wpg address-pool vpnpool

vpngroup vpn-sc-wpg dns-server 10.1.0.11

vpngroup vpn-sc-wpg default-domain xxxx.xxx

vpngroup vpn-sc-wpg idle-time 1800

vpngroup vpn-sc-wpg password ********

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 10

dhcpd address 192.168.25.11-192.168.25.254 guest

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable guest

......

3750 trunk interface

interface GigabitEthernet3/0/14

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

no ip address

duplex full

speed 100

no mdix auto

spanning-tree portfast

.................

pcomeaux · ‎06-14-2004

Looks like you are missing the NAT statements for the GUEST interface.

Your config currently shows:

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

But you have no translation NAT statement for traffic originating from the guest interface (same rules apply even though it is virtual).

You shoud add:

nat (guest) 1 0.0.0.0 0.0.0.0 0 0

This will translate any traffic received on this interface to the same IP as the outside interface.

I also do not think you need the following command:

route inside guest 255.255.255.0 64.4.68.225 1

The pix knows this network you've call guest is directly connected. So you should be able to remove this route statement.

Please give these 2 suggestions a try and let us know how it is going.

thanks

peter

jcowtan · ‎06-15-2004

I made the two changes as suggested BUT no change.

My ping test results:

from PIX console, I can ping inside, outside insterfaces BUT not guest logical interface.

from guest VLAN I get DHCP address but can not ping guest interface, nor any local pix interface, nor outside addresses. Seems the interface is dead - but it gave out an address.

I have included a subset of config. Any ideas?

.............

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan25 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan25 guest security50

......

names

name 10.2.0.0 Atlanta

name 10.3.0.0 Ottawa

name 10.1.0.0 Winnipeg

access-list inside_outbound_nat0_acl permit ip Winnipeg 255.255.0.0 Ottawa 255.2

55.0.0

access-list inside_outbound_nat0_acl permit ip Winnipeg 255.255.0.0 Atlanta 255.

255.0.0

access-list inside_outbound_nat0_acl permit ip Winnipeg 255.255.0.0 192.168.1.0

255.255.255.0

access-list outside_cryptomap_20 permit ip Winnipeg 255.255.0.0 Atlanta 255.255.

0.0

access-list outside_cryptomap_40 permit ip Winnipeg 255.255.0.0 Ottawa 255.255.0

.0

....

icmp permit any outside

icmp permit any inside

icmp permit any guest

ip address outside 64.4.68.226 255.255.255.252

ip address inside 10.1.1.31 255.255.0.0

ip address guest 192.168.25.1 255.255.255.0

....

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (guest) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 64.4.68.225 1

....

sysopt connection permit-ipsec

.....

isakmp enable outside

......

management-access inside

console timeout 10

dhcpd address 192.168.25.11-192.168.25.254 guest

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable guest

pcomeaux · ‎06-15-2004

Looks like the interface statements you have do not match the configuration guide.

Here's info from the config guide:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113411

******************

Step 1 Assign the interface speed to a physical interface by entering the following command:

interface ethernet0 auto

Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan2 physical

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan3 logical

This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.

********************

Looks like Step 2 is what you might be missing from your config. Give this a read and a try, as it appears to be the most obvious difference from the example and your config.

thanks!

peter

jcowtan · ‎06-17-2004

I entered the command (modified for ethernet1) as

interface ethernet1 vlan2 physical

but my access tests did not work again. I still get a DHCP address. I noticed that the port light now flashes amber/green. I changed the speed to 100full. I also created / activated a VLAN2 on the switch end of the trunk. These did not change the flashing light.

I also viewed the interface stats

sh interface ethernet1

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0011.2063.52ce

IP address 10.1.1.31, subnet mask 255.255.0.0

MTU 1500 bytes, BW 100000 Kbit full duplex

9078 packets input, 643133 bytes, 0 no buffer

Received 8098 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

56573 packets output, 4308004 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 1 deferred

1 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/3)

output queue (curr/max blocks): hardware (0/9) software (0/1)

612 aggregate VLAN packets input, 73771 bytes

430 aggregate VLAN packets output, 22044 bytes

8410 vlan2 packets input, 565942 bytes

56549 vlan2 packets output, 3307648 bytes

0 invalid VLAN ID errors, 56 native VLAN errors

interface vlan25 "guest" is up, line protocol is up

Hardware is i82559 ethernet, address is 0011.2063.52ce

IP address 192.168.25.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

612 packets input, 73771 bytes

9 packets output, 2678 bytes

If I try show interface vlan1 or vlan2 I get nothing.

Ideas?