?
Solved

VLANs cant speak with each other any longer (since PIX installation)

Posted on 2005-02-27
29
Medium Priority
?
274 Views
Last Modified: 2010-04-17
Heres my network: http://www.streetneeds.com/uploads/ot/net.jpg

Ever since putting the PIX in, my VLANs have not been able to speak with each other.

From the PIX prompt, I can ping all of my hosts (on every VLAN).
Any ideas?

thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 11
  • 6
29 Comments
 

Author Comment

by:dissolved
ID: 13415788
All VLANs can hit the internet fine. They just cant speak to one another?

Is this because of their gateway for all, is the PIX?  So I have to permit the traffic inbound?
Thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416211
The default gateway for the hosts on the 192.168.3.0 subnet should be 192.168.3.1 (the 2600 router subinterface).  The default gateway for the hosts on the 192.168.4.0 subnet should be 192.168.4.1 (the 2600 router subinterface).  The 2600 should have a default route to 192.168.2.1 (the pix).  The 192.168.2.0 hosts default route can be the PIX as long as the PIX has routes to the 192.168.3.0 and 192.168.4.0 subnets via 192.168.2.5 (2600 router).  Or, the 192.168.2.0 hosts can have a default gateway of 192.168.2.5 (2600 router) and the default route on the 2600 will send non-local traffic to the PIX.  I'd set it up with the later for the 192.168.2.0 hosts (default gateway of 192.168.2.5).
0
 

Author Comment

by:dissolved
ID: 13416299
>>The default gateway for the hosts on the 192.168.3.0 subnet should be 192.168.3.1 (the 2600 router subinterface).
Check

>>The default gateway for the hosts on the 192.168.4.0 subnet should be 192.168.4.1 (the 2600 router subinterface).
Check

>>The 2600 should have a default route to 192.168.2.1 (the pix).
Check

>>The 192.168.2.0 hosts default route can be the PIX as long as the PIX has routes to the 192.168.3.0 and 192.168.4.0 subnets via 192.168.2.5 (2600 router).  Or, the 192.168.2.0 hosts can have a default gateway of 192.168.2.5 (2600 router) and the default route on the 2600 will send non-local traffic to the PIX.  I'd set it up with the later for the 192.168.2.0 hosts (default gateway of 192.168.2.5)

This must be the problem.  The static routes in my pix (for the VLANs) are as follows:
route inside 192.168.3.0 255.255.255.240 192.168.4.1 1
route inside 192.168.4.0 255.255.255.240 192.168.4.1 1

I'm guessing I should change it to

route inside 192.168.3.0 255.255.255.240 192.168.2.5 1
route inside 192.168.4.0 255.255.255.240 192.168.2.5 1
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416434
Yes, should be:

route inside 192.168.3.0 255.255.255.240 192.168.2.5 1
route inside 192.168.4.0 255.255.255.240 192.168.2.5 1

0
 

Author Comment

by:dissolved
ID: 13416505
Ok, did that. Still unable to communicate with my VLANs (I'm on the 192.168.2.0 network btw)
Here is a sh run of the pix


pix# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xIsrlcAkUmuvQSHs encrypted
passwd JjCY8dtQbv7delLq encrypted
hostname pix
domain-name spira
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any interface outside echo-reply
access-list outside_in permit icmp any interface outside unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.240
ip address inside 192.168.2.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.240 0 0
nat (inside) 1 192.168.3.0 255.255.255.240 0 0
nat (inside) 1 192.168.4.0 255.255.255.240 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.240 192.168.2.5 1
route inside 192.168.4.0 255.255.255.240 192.168.2.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c6ddd4cda262762c7335421be1799533
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13416513
add this

   sysopt noproxyarp inside

If it works, I'll explain...
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416514
Oops, forgot basic PIX routing rule.  The PIX will not send traffic it receives on the inside interface, back out the inside interface.  This is the way a PIX is, it really isn't a router, although it appears to act as such at times.  You'll need to set the default gateways on the 192.168.3.0 and 4.0 hosts to the appropriate 2600 subinterface for each subnet.
0
 

Author Comment

by:dissolved
ID: 13416572
Ok, I added sysopt noproxyarp inside.  However, from the 192.168.2.0 network, I still cannot access any PCs on the other VLANs. The PIX can ping them though.

Right now, the hosts of 192.168.3.0 have a gateway of 192.168.3.1
The host of 192.168.4.0 have a gateway of 192.168.4.1

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13416611
How about the ip inspect rules in the 2600 @ 192.168.2.5 ?
It's not the pix in the mix, it may be the way you have the inspect applied to that router and have changed how IT behaves. It is the link between the vlans. Can you post its config?
0
 

Author Comment

by:dissolved
ID: 13416634
Ok, here is the 2600 config:

Current configuration : 1272 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600a
!
enable secret 5 -----------------
enable password ---------------
!
ip subnet-zero
!
!
!
!
ip cef
ip inspect name test tcp
ip inspect name test udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.2.5 255.255.255.240
 ip access-group 102 out
 ip inspect test in
 full-duplex
!
interface Ethernet0/0.1
 encapsulation dot1Q 2
 ip address 192.168.3.1 255.255.255.240
 ip access-group 101 out
 ip inspect test in
!
interface Ethernet0/0.2
 encapsulation dot1Q 3
 ip address 192.168.4.1 255.255.255.240
 ip access-group 102 out
 ip inspect test in
!
interface TokenRing0/0
 no ip address
 shutdown
 ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
ip pim bidir-enable
!
access-list 104 deny   ip 192.168.4.0 0.0.0.255 host 216.109.112.135
access-list 104 permit ip any any
!
snmp-server community getifread RO
snmp-server community getif RW
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password ----
line aux 0
line vty 0 4
 password ---------
 login
!
end

2600a#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13416649
>ip access-group 102 out
> ip access-group 101 out
> ip inspect test in

The acls 102 and 101 don't appear to exist any longer.
Try removing both the acl and the inspect from all the interfaces and see if that works for you, then we can apply what you need once you get data flowing again..


0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416653
How come you are using the IOS firewall when you have a PIX on your network?  Perhaps you should try removing ip inspect from the 2600 interfaces to test.  Can you also do a "show ip route".
0
 

Author Comment

by:dissolved
ID: 13416676
Ok, made the changes. It still doesnt work. Here is the config. Am I missing anything?

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600a
!
enable secret 5 -------------
enable password--------
!
ip subnet-zero
!
!
ip name-server 192.168.1.98
!
ip cef
ip inspect name test tcp
ip inspect name test udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.2.5 255.255.255.240
 full-duplex
!
interface Ethernet0/0.1
 encapsulation dot1Q 2
 ip address 192.168.3.1 255.255.255.240
!
interface Ethernet0/0.2
 encapsulation dot1Q 3
 ip address 192.168.4.1 255.255.255.240
!
interface TokenRing0/0
 no ip address
 shutdown
 ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
ip pim bidir-enable
!
!
snmp-server community getifread RO
snmp-server community getif RW
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password-----
line aux 0
line vty 0 4
 password ----
 login
!
end

2600a#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416690
How about the "show ip route"...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13416699
Save the config and reboot this 2600. Need to clear all the arp cache and any existing inspected connections.
0
 

Author Comment

by:dissolved
ID: 13416714
Rebooted. Still cannot connect. Here is the sh ip ro


2600a#sh ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

     192.168.4.0/28 is subnetted, 1 subnets
C       192.168.4.0 is directly connected, Ethernet0/0.2
     192.168.2.0/28 is subnetted, 1 subnets
C       192.168.2.0 is directly connected, Ethernet0/0
     192.168.3.0/28 is subnetted, 1 subnets
C       192.168.3.0 is directly connected, Ethernet0/0.1
S*   0.0.0.0/0 [1/0] via 192.168.2.1
2600a#


Thanks
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1600 total points
ID: 13416723
Did you change the 192.168.2.0 hosts' default gateway to 192.168.2.5?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 13416730
Good catch, JFrederick29. Local hosts also have to point to the router and not the PIX as their default gateway.

Can 192.168.3.x hosts ping 192.168.4.x hosts, but not 192.168.2.x hosts?
0
 

Author Comment

by:dissolved
ID: 13416765
192.168.3.x cannot ping 192.168.2.x
192.168.4.x cannot ping 192.168.2.x

However:

192.168.3.x can ping 192.168.4.x
192.168.4.x can ping 192.168.3.x

Quick question: If I make the default gateway for 192.168.2.x, "192.168.2.5", will I be bypassing my PIX?
Thanks guys
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416768
Just internally, but when you go out to the Internet, you will be going through the PIX.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416771
You really have no choice, the default gateway on the 192.168.2.0 hosts must be 192.168.2.5.
0
 

Author Comment

by:dissolved
ID: 13416773
ah.....i see. Because the 2600's gateway IS the pix?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416777
Yes, correct :)
0
 

Author Comment

by:dissolved
ID: 13416788
So we normally do not use firewall's internal interfaces as gateways. Because by definition they are not routers?
Right?
thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416817
Yes, the PIX won't "reroute" out the inside interface so a router is required.  Other firewalls may not have that "design" and in your situation, it would work.  But, like I said before, it's better to have the 2600 handle all internal routing and then have a default route to the PIX.
0
 

Author Comment

by:dissolved
ID: 13416819
thanks a lot
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13416822
No problem, nice working with you again, and lrmoore :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13416827
Ditto !
0
 

Author Comment

by:dissolved
ID: 13416877
ditto here too!
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question