cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2166
Views
0
Helpful
13
Replies

problem with pix506 and routing

guido.comi
Level 1
Level 1

hello to all,

I need to make a simple configuration with pix506 with software version 6.3. I need to use it to routing an ip class placed on the outside interface on the clients wich are connected to the inside interface. The outside ip class is 10.0.0.x 255.255.255.0; while the inside ip class is 10.98.98.x 255.255.255.0. I need that the clients on the inside can ping the devices on class 10.0.0.x. Pix 506 can do this? I tried with lot of examples but the routing seems doesn't work. please check the example above and the attached scheme. thanks to all.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100basetx

interface ethernet1 100basetx

ip address outside 10.0.0.35 255.255.255.0

ip address inside 10.98.98.254 255.255.255.0

hostname pixfirewall

arp timeout 14400

no failover

names

pager lines 24

logging buffered debugging

nat (inside) 0 10.0.0.35 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.0.0.20

access-list acl_out permit icmp any any

access-group acl_out in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00

udp 0:02:00 rpc 0:10:00 h323 0:05:00

sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

mtu outside 1500

mtu inside 1500 nameif ethernet0 outside security0

1 Accepted Solution

Accepted Solutions

This is cisco.

Here you can find examples:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

You must understand access-list. If you don't define the traffic, the traffic is blocked. Look at the following example:

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any eq 80

access-list acl_in permit tcp any any range 20 21

This example enables icmp, port request to 80 for Web and port range 20 21 for active FTP Access. All other traffic would be blocked to an explicit deny. And the traffic is originated at the inside interface, because you bound this access-list to the inside interface.

logging on

logging host inside x.x.x.x

logging trap debug

Kind regards.

Maik

View solution in original post

13 Replies 13

maik.behley
Level 1
Level 1

Hi Guido,

try this:

no nat (inside) 0 10.0.0.35 255.255.255.0

nat (inside) 0 10.98.98.0 255.255.255.0

access-list acl_in permit icmp any any

access-group acl_in in interface inside

Good luck.

Kind regards.

hello, thanks for the reply.

I tried but didn't solved, the clients on the inside (10.98.98.x) doens't ping the outside lan (10.0.0.x). Any tip? what I'm doing wrong with this configuration?

Are you sure that the outside and inside clients have the right network?

The inside clients must have 10.98.98.254 and the outside clients needs the

10.0.0.35 as standard gateway.

I've tried to set the gateway on 10.0.0 clients as you suggeested; but didn't solved. On the 10.98.98 the gateway was already configured.

Of course indipendely from the gateway setting all the client on 10.98.98.x can ping 10.98.98.254 and all the client on 10.0.0.x can ping 10.0.0.35.

From the pix console I can ping correctly all the clients attached on both lans, so for me there arn't network problems, seems that simply the pix routing doens't work for some reason...

Morning,

i think i see your problem. You must define a static to translate the internal network to external.

Please configure the following:

static (inside,outside) 10.98.98.0 10.98.98.0 netmask 255.255.255.0

Kind regards.

hello,

excuse me if this time I was a little slow to try and then answer.

I tried adding to the pix configuration the command that you suggested but nothing changes; routing doesn't work...

Please send me the complete configuration with a pic of the network.

: Saved

:

PIX Version 6.3(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname internetfree

names

access-list acl_in permit icmp any any

access-list acl_out permit icmp any any

no pager

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.35 255.255.255.0

ip address inside 10.98.98.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 10.98.98.0 255.255.255.0 0 0

static (inside,outside) 10.98.98.0 10.98.98.0 netmask 255.255.255.0 0 0

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:c71c5b985c3fd41fd7d036e32ef9ee97

: end : Saved:

the network scheme is attached into my first post but actually since I wasn't able to get it work I'm just using the pix, one pc connected into inside and another pc connected into outside; anyway the scheme and the ip are still valid.

Ok, bound the outside access-list to the outside interface and you receive the icmp echo-reply.

access-group acl_out in interface outside

If you activate logging you will see denied icmp echo-reply packets against the outside interface.

with this the routing now works! thank you.

I have only another big problem, the routing works only if the pc have the pix as gateway; but in the final scenario I need to place an internet router on the 10.0.0.x side; so this router cannot have the pix as gateway.

I think this problem would be simple to solve if, from the internet router, I would be able to set a static route but I want to do this only if is necessary. There is a way to bypass the problem via pix?

Ok, you need only access from the internal network 10.98.98.0/24 to the internet and the internet router???

The secure way is -> enable nat.

Take the following to do this:

no nat (inside) 0 10.98.98.0 255.255.255.0 0 0

no static (inside,outside) 10.98.98.0 10.98.98.0 netmask 255.255.255.0 0 0

nat (inside) 1 10.98.98.0 255.255.255.0

global (outside) 1 interface

With this setup you don't need a static route at the internet router side. All clients in the network 10.98.98.0/24 are translated to the external ip address of the pix.

thank you very much; now also this problem is solved.

I have only another question for you, I downloded the pix manual but all the step by step examples are incomplete and unuseful for unskilled user. How can I enable and view logs to see if some rules are blocking some traffic? For example the ping works perfectly but I cannot surf the web now and I think that the pix is blocking something (the port 80 for sure). If I will be able to check logs I think that I will be able to solve all the problems by myself... thank you again.

This is cisco.

Here you can find examples:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

You must understand access-list. If you don't define the traffic, the traffic is blocked. Look at the following example:

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any eq 80

access-list acl_in permit tcp any any range 20 21

This example enables icmp, port request to 80 for Web and port range 20 21 for active FTP Access. All other traffic would be blocked to an explicit deny. And the traffic is originated at the inside interface, because you bound this access-list to the inside interface.

logging on

logging host inside x.x.x.x

logging trap debug

Kind regards.

Maik