Re: Strange routing issue in PIX501

imranbhatti151 · ‎03-15-2011

Hi gurus,

I am having trouble with routing in PIX501

I have one Pix 501 and one Cisco router

Cisco Router is configured for IPSEC VPN ( LAN interface 172.19.194.1) and PIX is configured for access the internet.

Default gateway of Pcs in LAN are PIX inside interface ( 172.19.194.2) but people are unable to access to corporate network but can access the internet.

Below is the route command configured on the PIX.

route inside 172.19.206.0 255.255.255.0 172.19.194.1 1

If i set default gateway to Cisco router LAN interface ( 172.19.194.1)then i can access to corporate network.

Purpose is to pass the internet traffic using PIX 501 and corporate network traffic using Cisco router.

Can any one help me in this regards

I have attached the diagram for the network

Thanks

csaxena · ‎03-15-2011

Hello Imran,

If i get the requirement right,you need to access internet using PIX(.2) as the gateway and while accessing corporate network, i.e. over the IPSec tunnel using router(.1) as gateway.

One option is to set routes on work station for corp network. For e.g. for a windows machine, say ur corp network is 10.0.0.0/8 network, then add

route -add mask

For more help, refer : http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_addstaticroute.mspx?mfr=true

This option is feasible in small work/home environment.

Other option is to use PIX in the network alone, and utilize another interface to terminate VPN and do routing on PIX.

One more option, will cost an extra device, add router in the network before both the gateways and do Policy Based Routing.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

imranbhatti151 · ‎03-15-2011

Dear Saxena,

Thanks for your reply and you understand correctly about my understandings

I understand option number one but it is not feasible i think.

But i want to know why i cannot use PIX as a routing device in this case as i used now.

Actually i have two different Internet connections ( i want to utilise one for IPSEC and second for internet browsing).

Terminating VPN on pix is not attractive for me .

If i add another router, still i need to have policy based routing or simple routing will be enough.

Looking for your support

Regards

csaxena · ‎03-15-2011

Hi Imran,

Yes, option is not a very scalable solution.

Well, i guess you are right. We can use PIX as the gatway for all traffic and u turn traffic for corporate network to the router. We might have to check possiblity of Assymerteric routing for the return traffic.

1) PIX will be gateway for all

2) route inside -> router for corp network

3) tcp state bypass will be required on the firewall

4) UDP traffic will get dropped due to assymeteric routing, so we will require a local DNS server

Another option is to utilize 2 ISPs on the PIX on 2 different interfaces. Configure 2 interfaces say out1 & out2 at security level 0. One will be for internet and other will be for IPSec tunnel.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

imranbhatti151 · ‎03-15-2011

Dear Saxena,

Thank you for your reply and support.

I think my firewall PIX 501 does not support tcp state bypass configuration

your second option is also difficult to opt as i have only two interfaces of cisco PIX 501 ( inside and outside)

What about if you use Layer 3 switch

Any other option to stream line routing.

Lokking forward for your support.

Regards

csaxena · ‎03-15-2011

Yes on a layer 3 switch you can do routing for internet & corp network. This will help.

Regards,

Chirag

imranbhatti151 · ‎03-15-2011

Thanks Again,

It seems that i do not have any Layer 3 switch in inventory now.

Can i set it up using router 1900 series with two ethernet interfaces.

Making three vlans and then inter vlan routing.

Please suggest.

Thanks

Regards