cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
913
Views
30
Helpful
24
Replies

Noob question: IP routing [PIX515E]

nateleduc
Beginner
Beginner

Forgive me for I know this is probably Routing 101.

I know it has to do something with routing, but can't seem to figure out why it isn't working.

PIX Version 7.1(2)

!

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

I can't ping from 192.168.1.0 network. I can ping 192.168.0.2, but nothing past it. I'm having the same issue on my 2600.

Any advice?

24 Replies 24

Just to be clear, I will won't be able to ping 192.168.0.2, although I should be able to ping 192.168.0.1

I added the above with no luck:

: Saved

:

PIX Version 7.1(2)

!

hostname PIX515E

domain-name LEDUC.LOCAL

enable password KImMvv.HAzqvR6HP encrypted

names

!

interface Ethernet0

duplex full

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name LEDUC.LOCAL

access-list INSIDE-NAT0 remark NO NAT for LAN network

access-list INSIDE-NAT0 extended permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list INSIDE-NAT0

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

Cryptochecksum:b7e0f1e67acdbeccf8d614f5ac31faf4

: end

"If I understood the situation correctly you now only have the switch and workstation(s) behind the PIX "inside" interface? If there is only the network 192.168.1.0/24 behind the PIX then that above NAT0 configuration should be enough."

~Correct, the network is as follows

Filter <-> PIX515E <-> switch

with the switch being on the 192.168.1.0/24 network

FYI, I can't ping anything past 192.168.1.1

Ok,

At the moment I dont see a reason for this in the PIX configuration.

Could you make sure that the Filter Device has a route for the network 192.168.1.0/24 pointing towards 192.168.0.2?

This is because when a host from the address for example 192.168.1.100 sends ICMP to 192.168.0.1 there will be NO NAT as we configured. Therefore the Filter Device will need to have a return route for the ICMP traffic

So could you make sure that the Filter Device has a route for 192.168.1.0/24 pointing towards the PIX "outside" interface IP 192.168.0.2

- Jouni

Forgive me for my ignorance, But the filter works fine on its own, meaning if I plug up a workstation to eth1 (192.168.0.1) and give it a static IP it passes throguh traffic and responds to pings.

Okay so basicly I need to ssh into my filter and add a return path to the 192.168.1.x network correct?

What I'm getting at is possible a triangular routing problem

Hi,

If you have a host directly connected to the Filter Device (which to my understanding is your Internet edge device) then there is naturally no problem with the connectivity of the host and the Filter Device as they are connected to the same network 192.168.0.0/24. They both see the network as directly connected so naturally they can communicate.

Now when you have added the PIX to the setup and you have an additional network of 192.168.1.0/24 behind the PIX then naturally the Filter Device needs to have a route for the network 192.168.1.0/24 because otherwise it is just going to forward all traffic towards its default route which I imagine is the default route to the Internet/ISP

So to my understanding if you dont already have a route for the network 192.168.1.0/24 configured on the Filter Device then you have to add that to the device and point that route towards the PIX "outside" interface IP address of 192.168.0.2. Otherwise the traffic simply wont work from the workstation to the Filter Device WHEN the PIX is connected to the network.

- Jouni

Hello Nathan,

Agree with Jouni,

It got to be that the Filter device does not have a route back to you,

If by any chance you do not know how to create a route on that layer 3 device do the following and let us know

nat (inside)  1 0 0

global (outside) 1 interface

With this all traffic being source from the Inside interface when reaching another host on the outside interface it will look like the outside interface IP address, then the filter will be able to route the traffic back as it knows where the outside interface it's ( On one of it's directly connected networks)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jcarvaja,

Its actually an old iprism I picked up off ebay for $10 shipped. Its now running linux , therefore the commands are going to be different.

Its actually pretty damn cool :

Mines running Ubuntu server 11.04, using it as an ssh server, web filter, proxy and NAT, but I'm sure you could for other uses as well.

I'llpost back when I get those routes inacted

Hello,

I think you did not understand me

The commands

nat (inside)  1 0 0

global (outside) 1 interface

Got to be set on the PIX ( You would need to remove the NAT 0 for this)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Won't

nat (inside)  1 0 0

global (outside) 1 interface

enable NAT? I don't need it to provide NAT, I have the filter for that.

Hi,

Yes that would enable Dynamic PAT which would basically translate all hosts behind the PIX "inside" interface to the IP address of the "outside" interface. This would mean that you probably wouldnt have to add routes to the Filter Device as connections would be showing from a directly connected network.

But on the other hand it would hide the LAN hosts behind that single IP address and the Filter Device wouldnt see the hosts with their original IP address.

Were you able to add the route to the Filter Device as we discussed before? Or what is the current situation?

- Jouni

Hello Nathan,

Without the NAT you will need the route and as you do not have it now then you must use it

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: