07-28-2004 05:40 PM - edited 02-20-2020 11:32 PM
Hi,
I am using PIX to protect my 3 VLANs. PIX is connected to the trunk ports on the switch.
E0 has 253, 556, 557 VLANs
253=253.12
556=156.254
557=157.254
E1 has 52, 156, 157
52=52.1
156=192.168.156.1
157=192.168.157.1
IPs assigned to VLANs on the router are:
253 - X.X.253.1
556 - X.X.156.1
557 - X.X.157.1
52 - no IP
156 - no IP
157 - no IP
So basicly, VLAN 52 is transparent, and VLANs 156, and 157 are NATed. Vlan 253 is path outside to the Internet.
I can ping all interfaces on the PIX from the router. VLAN 52 also works fine (it uses physical interface). However, VLANs 156 and 157 (that use logical interface cannot go out. It seems like some translation issu.
Here is the config of the PIX and error messages I get when I try to go out of VLAN 156.
:
PIX Version 6.3(1)
interface ethernet0 100basetx
interface ethernet0 vlan253 physical
interface ethernet0 vlan556 logical
interface ethernet0 vlan557 logical
interface ethernet1 100basetx
interface ethernet1 vlan52 physical
interface ethernet1 vlan156 logical
interface ethernet1 vlan157 logical
nameif ethernet0 int253 security0
nameif ethernet1 int52 security99
nameif vlan556 int556 security0
nameif vlan557 int557 security0
nameif vlan156 int156 security99
nameif vlan157 int157 security99
no fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol http 80
no fixup protocol ils 389
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
names
pager lines 24
logging on
logging timestamp
logging console debugging
logging monitor notifications
logging history notifications
mtu int253 1500
mtu int52 1500
ip address int253 x.x.253.52 255.255.255.0
ip address int52 x.x.52.1 255.255.255.0
ip address int556 x.x.156.254 255.255.255.0
ip address int557 x.x.157.254 255.255.255.0
ip address int156 192.168.156.1 255.255.255.0
ip address int157 192.168.157.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address int253
no failover ip address int52
no failover ip address int556
no failover ip address int557
no failover ip address int156
no failover ip address int157
arp timeout 14400
global (int556) 1 x.x.156.2-x.x.156.250
global (int557) 2 x.x.157.2-x.x.157.250
nat (int52) 0 x.x.52.0 255.255.255.0 0 0
nat (int157) 2 192.168.157.0 255.255.255.0 0 0
nat (int156) 1 192.168.156.0 255.255.255.0 0 0
conduit permit ip any any
conduit permit tcp any any
conduit permit udp any any
router ospf 1
network x.x.0.0 x.x.0.0 area 0
log-adj-changes
redistribute connected subnets
redistribute static subnets
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
Please help. Thanks in advance.
Senad P.
07-28-2004 06:34 PM
To go from a higer security interface (156 and 157) to a lower (253), you need a nat/global pair (or a static). You have a nat statement for 156 and 157, but no global for 253. Something like the following should get you going:
global (int253) 1 interface
global (int253) 2 interface
This'll PAT everything from 156 and 157 ints to the interface address on 253 (x.x.253.52). If you want to PAT them to a specific other address then replace the "interface" keyword above with that address.
07-28-2004 07:49 PM
Thanks gfullage,
My question is why do I have to have int253 as well? Is it because int556 and int557 are logical interfaces? The reason I am asking is because I do not want to send the 156 and 157 traffic out of PIX to VLAN 253. My Vlan mapping is:
vlan 156 inside goes to vlan 556 outside.
vlan 157 inside goes to vlan 557 outside.
vlan 52 (because there is no NAt involved) goes out via vlan 253. Vlan 253 is core router vlan.
I don't want to use PAT. Now what would happen if I have to global (overlapping statements) such as
global (int556) 1 x.x.156.2-x.x.156.250
global (int253) 1 x.x.156.2-x.x.156.250.
Would this work?
Like I said, my intention is to move traffic from vlan 156 to vlan 556.
Thanks,
08-03-2004 07:20 AM
Thanks for the help. I got it to work. However, now I have a different problem. The connection is up for about 1-2 hours and then stops. There is still about half of the RAM free and CPU utilization is about 12%. ICMP traffic continues to flow, TCP stops entirely, and UDP sometimes works sometimes does not (nslookup). I would clear arp and xlate and it would start working for about an hour and then stops again (only for TCP). My ssh and http to pix does not work either. There is no blocked traffic via rulesets at all.
Could it be bad PIX? or maybe an Attack?
Attached are the error messages and new config file.
08-03-2004 07:27 AM
Thanks for the help. I got it to work. However, now I have a different problem. The connection is up for about 1-2 hours and then stops. There is still about half of the RAM free and CPU utilization is about 12%. ICMP traffic continues to flow, TCP stops entirely, and UDP sometimes works sometimes does not (nslookup). I would clear arp and xlate and it would start working for about an hour and then stops again (only for TCP). My ssh and http to pix does not work either. There is no blocked traffic via rulesets at all.
Could it be bad PIX? or maybe an Attack?
Attached are error messages (debug) and the new config file.
08-06-2004 08:26 AM
OK, I resolved this one as well. I had an old router somewhere on the network advertising 52.1 IP and change the routes.
Some some packets would go as they should, some packets would get lost.
All good now.
However, I've got a new question regarding interfaces. Does it matter if VLAN interfaces are all the same numbering, like in the example above:
vlan 541
vlan 556
vlan 557
vlan 253
all being security0
and
vlan 141
vlan 156
vlan 157
vlan 52
all being security99.
Or should they all have a different security levels?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide