cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3048
Views
0
Helpful
9
Replies

Routing Issue in PIX 515E

Yuyang Jin
Beginner
Beginner

Hi all,

I have a routing problem here with routing in PIX515E version 6.35. I have some Client PCs located in the DMZ interface of the PIX515E, they connect to PIX using Cisco VPN Client (IPSEC VPN), after that these PCs can be routed to access Servers (static route) located behind Internal interfaces of PIX. I have some Servers located remotely having Internet Access, the gateway router remotely connect to PIX Outside Interface (Internet) using IPSEC VPN then routed to inside Interface (static route).

After establishing IPSEC VPN, the Client PCs behind the DMZ interfaces can access Servers located behind Internal Interface of PIX. So do the remote servers. However, the Client PCs cannot access the remote servers.

Just wondering if there is any restriction for the routing in PIX?

Thanks for the answer.

1 Accepted Solution

Accepted Solutions

Hi

Thanks for posting , sorry for late reply  been a bit busy!

I am   not to clear  about how you are routing your networks ,  personally I try being more granular in what is routed where when using static routes  with large /16s prefixes .


you have l2l vpn  for allowing  your remote server 172.16.0.199/32  access to  inside  by your crypto acl as:
access-list Remote_Server permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199


and also you have  nat exempt rule as:
nat (inside) 0 access-list nonat


for DMZ resources RA VPN 172.16.45.129   to access far end Server  through that  L2L VPN from outside interface   you  would  need to allow it in your L2L Tunnel acl in far end as well for the interesting traffic .

Does the far end have access-list  for the L2L tunnel is permiting  the RA VPN Client  Network ID ?


I would also  add to your configuration ant exempt rule on dmz interface just as you do with inside interface


nat (dmz) 0 access-list nonat


Let us know how it works out,   I will revisit your config and post again a bit later.


Regards

Jorge Rodriguez

View solution in original post

9 Replies 9

JORGE RODRIGUEZ
Advocate
Advocate

Hi,

From what you have discribed   is not a routing issue but instead a restriction,  please correct me if I missunderstood.

You said your RA VPN clients connect to your PIX  vpn gateway to access resources in DMZ and also in inside interface . You also indicated that you have a remote servers  on remote sites  (outside) that do also connect to your PIX outside via IPsec VPN and also these servers can connect to inside resources...UP to hear we are fine,  your RA VPN clients that connect to your DMZ via  Ipsec  cannot access remote servers  that are connected to outside interface of yur PIX via IPsec, this is like hairpining  which is a restriction in  code 6.3.5 train.

You need a feature known as same-security-traffic  permit intra-interface, also known as hairpining , in which traffic can go out on the same interface in came in , usually for IPsec.   This feature was introduced in code 7.x  ,  you would simply need code upgrade from 6.3.5 to 7.x or above to take advantage of this feature.  My recomendation  upgrade your PIX to ASA  , PIX is EOL.

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1673966

Regards

Jorge Rodriguez

Hi Jorge,

Many thanks for the quick response. I think your understanding is all correct, I will see how it goes after the firmware upgrade.

But could you explain to me the hairpin here? The Client PCs are connected from DMZ interface while the remote server connected from Outside Interface? They are different Interface. Or are we talking about the IPSEC itself a logical interface?

Cheers