Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 429
  • Last Modified:

Pix access to other pix on same network

I have a client with a pix issue that asked for some help - thought I'd bounce the situation here and see if anyone might be able to shed some light.
He is currently running a pix in front of his internal network, and recently added another pix to handle securing his web servers.
Topography is:

                                    T1 Router
                                         |
                                     Switch
                                         |
                  -----------------------------------------
                  |                                                 |
               PIX 1                                            PIX 2
        Internal Network                               Web Servers
          (external ip)                          (2 external ips, 1 for pix and
                                                          1 static nat'd to server)
   

Both PIX's have external IPs are on the same network - the web server uses another ip static nat'd to the internal address.

Here's the situation :  Up to this point, with an older firewall, users behind pix 1 were able to view the websites on the web server behind older firewall.  Now, after installation of pix 2, outside users in front of the T1 Router can see the sites, but the internals behind pix 1 cannot.  

He can ping the eth0 device address of pix2 from behind pix1, but CANNOT ping the other external ip address static natd behind pix2.

My first guess is that the users behind pix1, when resolving the urls, do not make it out thru the t1 router and back, and are heading directly thru the switch to pix2, which is not allowing translation from those addresses it sees as local.  

The question - his users must be able to view the sites behind pix 2 for business purposes - is there a rule that should be set up to allow this, or, do you have any suggestions on how this might be possible?

Hope this made sense.  Thanks in advance for any assistance :)


0
crudmop
Asked:
crudmop
  • 6
  • 3
  • 2
  • +1
3 Solutions
 
bloemkool1980Commented:
It is kinky setup and last time I asked cisco it is bound to have problems.
I had a simular issue and they advised me to let the routing happen on the router. Thus PIX1 has only default gateway to the router and same for PIX2.
Now I suppose both pix are in the same IP subnet?
If so you are in trouble, you than translate all traffic coming from PIX-1. Adding a rule that all traffic is PAT'ed and hope it works.
PIX has difficulties in re-routing and ICMP redirects. Should be solved in the next PIX version.
Paste some of the nat rules from both firewalls so I can have an idea?

0
 
crudmopAuthor Commented:
Yep - both are parallel addresses on the same network.

for example:

Pix 1 has
eth0 24.24.24.1
eth1 192.168.1.1

Pix 2 has
eth0 24.24.24.2
eth1 192.168.10.1
24.24.24.3 Nat'd to 192.168.10.2

Other than the Nat to the ETH0s, pix2 has a static nat to the internal web server address, ie
static (inside,outside) x.x.x.x 192.168.10.2 netmask 255.255.255.255 0 0


0
 
bloemkool1980Commented:
Ah but I think you are missing a rule in your first pix to allow the internal addresses to be natted to the PIX address.

global (outside) 1 interface

you should add something like this into pix 1
and create a rule that allows you to go out.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
crudmopAuthor Commented:
It does - sorry, I thought I was clear with that -
both have their respective

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

I left out a few key points that I didn't think were relevant - pix 1 has mail server static Nat'd behind it as well
Machines behind both PIX can see the web, and function correctly.  


0
 
graemeboroCommented:
What are the access control list settings on the PIX 2, I am wondering because it seems you can hit the outside interface but cannot get at the inside interface, so I am assuming the acl is not handling this.

Well its a theory at least :-) Let us know if this maybe the case.

Graeme
0
 
crudmopAuthor Commented:
Correct - he can ping the external address, but cannot ping the internal thru the PIX.  What should the ACL have as an entry to allow this?  
0
 
alex_yalaCommented:
Ok, here's an idea:

It's a long shot, but I don't think you have much choice, unless you can buy a higher model PIX 515e or higher with DMZ card(s)

- Setup a site-to-site VPN connection between the two PIXes
- On your DNS server, update the webserver IP address to 192.168.10.2

Your PIX1 would know where to route the 192.168.10.2 (through PIX2).

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

I'm sure this will work.

Good luck.

Alex.
0
 
bloemkool1980Commented:
What alex said will work but it is expensive.
From PIX1 can you ping the external address from your Webserver?
Check both firewall logs when you try to access from the LAN at PiX-1 the webservers behind the PIX-2
If you see any blocked entry could you provide that too?

It is possible we just need some more info, if you are on the LAN@PIX-1 and you do an nslookup for the webservers domain do you get the internal or external ip of the webservers back?
0
 
graemeboroCommented:
crudmop,

lets say that the network address of PIX 1 is 10.10.10.0 and the network for PIX 2 is 20.20.20.0.

To allow traffic from 1 to 2 you need an acl on the outside interface of PIX 2 which will allow traffic identified as 10.10.10.0 to access PIX 2 so :-

access-list inbound permit ip any 10.10.10.0 20.20.20.0 any (This allows all traffic through, you may want to restrict it to certain protocols, or hosts)

Once you have your access list you can apply it to the outbound interface on your pix.

access-group inbound interface outside.

This is done and now should identifiy traffic from the other network when it arrrives out the outbound interface to be passed into the network.

Hope this helps

Graeme
0
 
crudmopAuthor Commented:
Alex, that was an idea I had considered as well -

Blo - I can ping the device address on PIX 1, but not the NAT'd external-to-webserver address.  Sorry I have given minimal info, as you can see, my Cisco knowledge is mediocre at best and thought I'd try to help this guy out.  

Graem - thanks!   I will pass that on and let you know what happens, if it works, etc - and I will try to get an excerpt of the running config.
0
 
crudmopAuthor Commented:
UPDATE - I suggested they set up the ACL as you said - as well as suggested the vpn idea (which I had originally suggested before I posted the question) - their guy says that neither can be done because the PIXs are on the same network and it will not allow that kind of traffic to cross from the same network.  Additionally, he mentioned that the VPN idea wouldn't work because the PIX will not allow a VPN connection to another PIX on the same network.
Is this true?
0
 
alex_yalaCommented:
No it is not true.

When I test new PIX IOS, I always test it on the same network. I think they are not sure whether the PIX know which path to go to the other PIX.

PIXes absolutely don't care whether the other peer is on the same network or different network.

Anyway, that's the only secured solution I can suggest.

Good Luck.

Alex.
0
 
crudmopAuthor Commented:
Thanks so much for all of your input - I've done what I can, now, they can make their own decisions :)

Bumping up the points and splitting them - thanks for the quick help!
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 6
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now