?
Solved

Pix access to other pix on same network

Posted on 2005-03-22
13
Medium Priority
?
428 Views
Last Modified: 2013-11-16
I have a client with a pix issue that asked for some help - thought I'd bounce the situation here and see if anyone might be able to shed some light.
He is currently running a pix in front of his internal network, and recently added another pix to handle securing his web servers.
Topography is:

                                    T1 Router
                                         |
                                     Switch
                                         |
                  -----------------------------------------
                  |                                                 |
               PIX 1                                            PIX 2
        Internal Network                               Web Servers
          (external ip)                          (2 external ips, 1 for pix and
                                                          1 static nat'd to server)
   

Both PIX's have external IPs are on the same network - the web server uses another ip static nat'd to the internal address.

Here's the situation :  Up to this point, with an older firewall, users behind pix 1 were able to view the websites on the web server behind older firewall.  Now, after installation of pix 2, outside users in front of the T1 Router can see the sites, but the internals behind pix 1 cannot.  

He can ping the eth0 device address of pix2 from behind pix1, but CANNOT ping the other external ip address static natd behind pix2.

My first guess is that the users behind pix1, when resolving the urls, do not make it out thru the t1 router and back, and are heading directly thru the switch to pix2, which is not allowing translation from those addresses it sees as local.  

The question - his users must be able to view the sites behind pix 2 for business purposes - is there a rule that should be set up to allow this, or, do you have any suggestions on how this might be possible?

Hope this made sense.  Thanks in advance for any assistance :)


0
Comment
Question by:crudmop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 13609239
It is kinky setup and last time I asked cisco it is bound to have problems.
I had a simular issue and they advised me to let the routing happen on the router. Thus PIX1 has only default gateway to the router and same for PIX2.
Now I suppose both pix are in the same IP subnet?
If so you are in trouble, you than translate all traffic coming from PIX-1. Adding a rule that all traffic is PAT'ed and hope it works.
PIX has difficulties in re-routing and ICMP redirects. Should be solved in the next PIX version.
Paste some of the nat rules from both firewalls so I can have an idea?

0
 

Author Comment

by:crudmop
ID: 13611216
Yep - both are parallel addresses on the same network.

for example:

Pix 1 has
eth0 24.24.24.1
eth1 192.168.1.1

Pix 2 has
eth0 24.24.24.2
eth1 192.168.10.1
24.24.24.3 Nat'd to 192.168.10.2

Other than the Nat to the ETH0s, pix2 has a static nat to the internal web server address, ie
static (inside,outside) x.x.x.x 192.168.10.2 netmask 255.255.255.255 0 0


0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 13611442
Ah but I think you are missing a rule in your first pix to allow the internal addresses to be natted to the PIX address.

global (outside) 1 interface

you should add something like this into pix 1
and create a rule that allows you to go out.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:crudmop
ID: 13611506
It does - sorry, I thought I was clear with that -
both have their respective

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

I left out a few key points that I didn't think were relevant - pix 1 has mail server static Nat'd behind it as well
Machines behind both PIX can see the web, and function correctly.  


0
 
LVL 4

Expert Comment

by:graemeboro
ID: 13611753
What are the access control list settings on the PIX 2, I am wondering because it seems you can hit the outside interface but cannot get at the inside interface, so I am assuming the acl is not handling this.

Well its a theory at least :-) Let us know if this maybe the case.

Graeme
0
 

Author Comment

by:crudmop
ID: 13612985
Correct - he can ping the external address, but cannot ping the internal thru the PIX.  What should the ACL have as an entry to allow this?  
0
 
LVL 3

Assisted Solution

by:alex_yala
alex_yala earned 800 total points
ID: 13619071
Ok, here's an idea:

It's a long shot, but I don't think you have much choice, unless you can buy a higher model PIX 515e or higher with DMZ card(s)

- Setup a site-to-site VPN connection between the two PIXes
- On your DNS server, update the webserver IP address to 192.168.10.2

Your PIX1 would know where to route the 192.168.10.2 (through PIX2).

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

I'm sure this will work.

Good luck.

Alex.
0
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 400 total points
ID: 13619303
What alex said will work but it is expensive.
From PIX1 can you ping the external address from your Webserver?
Check both firewall logs when you try to access from the LAN at PiX-1 the webservers behind the PIX-2
If you see any blocked entry could you provide that too?

It is possible we just need some more info, if you are on the LAN@PIX-1 and you do an nslookup for the webservers domain do you get the internal or external ip of the webservers back?
0
 
LVL 4

Accepted Solution

by:
graemeboro earned 800 total points
ID: 13619497
crudmop,

lets say that the network address of PIX 1 is 10.10.10.0 and the network for PIX 2 is 20.20.20.0.

To allow traffic from 1 to 2 you need an acl on the outside interface of PIX 2 which will allow traffic identified as 10.10.10.0 to access PIX 2 so :-

access-list inbound permit ip any 10.10.10.0 20.20.20.0 any (This allows all traffic through, you may want to restrict it to certain protocols, or hosts)

Once you have your access list you can apply it to the outbound interface on your pix.

access-group inbound interface outside.

This is done and now should identifiy traffic from the other network when it arrrives out the outbound interface to be passed into the network.

Hope this helps

Graeme
0
 

Author Comment

by:crudmop
ID: 13621619
Alex, that was an idea I had considered as well -

Blo - I can ping the device address on PIX 1, but not the NAT'd external-to-webserver address.  Sorry I have given minimal info, as you can see, my Cisco knowledge is mediocre at best and thought I'd try to help this guy out.  

Graem - thanks!   I will pass that on and let you know what happens, if it works, etc - and I will try to get an excerpt of the running config.
0
 

Author Comment

by:crudmop
ID: 13654053
UPDATE - I suggested they set up the ACL as you said - as well as suggested the vpn idea (which I had originally suggested before I posted the question) - their guy says that neither can be done because the PIXs are on the same network and it will not allow that kind of traffic to cross from the same network.  Additionally, he mentioned that the VPN idea wouldn't work because the PIX will not allow a VPN connection to another PIX on the same network.
Is this true?
0
 
LVL 3

Expert Comment

by:alex_yala
ID: 13657397
No it is not true.

When I test new PIX IOS, I always test it on the same network. I think they are not sure whether the PIX know which path to go to the other PIX.

PIXes absolutely don't care whether the other peer is on the same network or different network.

Anyway, that's the only secured solution I can suggest.

Good Luck.

Alex.
0
 

Author Comment

by:crudmop
ID: 13664912
Thanks so much for all of your input - I've done what I can, now, they can make their own decisions :)

Bumping up the points and splitting them - thanks for the quick help!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question