Pix access to other pix on same network

I have a client with a pix issue that asked for some help - thought I'd bounce the situation here and see if anyone might be able to shed some light.
He is currently running a pix in front of his internal network, and recently added another pix to handle securing his web servers.
Topography is:

                                    T1 Router
                                         |
                                     Switch
                                         |
                  -----------------------------------------
                  |                                                 |
               PIX 1                                            PIX 2
        Internal Network                               Web Servers
          (external ip)                          (2 external ips, 1 for pix and
                                                          1 static nat'd to server)
   

Both PIX's have external IPs are on the same network - the web server uses another ip static nat'd to the internal address.

Here's the situation :  Up to this point, with an older firewall, users behind pix 1 were able to view the websites on the web server behind older firewall.  Now, after installation of pix 2, outside users in front of the T1 Router can see the sites, but the internals behind pix 1 cannot.  

He can ping the eth0 device address of pix2 from behind pix1, but CANNOT ping the other external ip address static natd behind pix2.

My first guess is that the users behind pix1, when resolving the urls, do not make it out thru the t1 router and back, and are heading directly thru the switch to pix2, which is not allowing translation from those addresses it sees as local.  

The question - his users must be able to view the sites behind pix 2 for business purposes - is there a rule that should be set up to allow this, or, do you have any suggestions on how this might be possible?

Hope this made sense.  Thanks in advance for any assistance :)


crudmopAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bloemkool1980Commented:
It is kinky setup and last time I asked cisco it is bound to have problems.
I had a simular issue and they advised me to let the routing happen on the router. Thus PIX1 has only default gateway to the router and same for PIX2.
Now I suppose both pix are in the same IP subnet?
If so you are in trouble, you than translate all traffic coming from PIX-1. Adding a rule that all traffic is PAT'ed and hope it works.
PIX has difficulties in re-routing and ICMP redirects. Should be solved in the next PIX version.
Paste some of the nat rules from both firewalls so I can have an idea?

0
crudmopAuthor Commented:
Yep - both are parallel addresses on the same network.

for example:

Pix 1 has
eth0 24.24.24.1
eth1 192.168.1.1

Pix 2 has
eth0 24.24.24.2
eth1 192.168.10.1
24.24.24.3 Nat'd to 192.168.10.2

Other than the Nat to the ETH0s, pix2 has a static nat to the internal web server address, ie
static (inside,outside) x.x.x.x 192.168.10.2 netmask 255.255.255.255 0 0


0
bloemkool1980Commented:
Ah but I think you are missing a rule in your first pix to allow the internal addresses to be natted to the PIX address.

global (outside) 1 interface

you should add something like this into pix 1
and create a rule that allows you to go out.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

crudmopAuthor Commented:
It does - sorry, I thought I was clear with that -
both have their respective

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

I left out a few key points that I didn't think were relevant - pix 1 has mail server static Nat'd behind it as well
Machines behind both PIX can see the web, and function correctly.  


0
graemeboroCommented:
What are the access control list settings on the PIX 2, I am wondering because it seems you can hit the outside interface but cannot get at the inside interface, so I am assuming the acl is not handling this.

Well its a theory at least :-) Let us know if this maybe the case.

Graeme
0
crudmopAuthor Commented:
Correct - he can ping the external address, but cannot ping the internal thru the PIX.  What should the ACL have as an entry to allow this?  
0
alex_yalaCommented:
Ok, here's an idea:

It's a long shot, but I don't think you have much choice, unless you can buy a higher model PIX 515e or higher with DMZ card(s)

- Setup a site-to-site VPN connection between the two PIXes
- On your DNS server, update the webserver IP address to 192.168.10.2

Your PIX1 would know where to route the 192.168.10.2 (through PIX2).

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

I'm sure this will work.

Good luck.

Alex.
0
bloemkool1980Commented:
What alex said will work but it is expensive.
From PIX1 can you ping the external address from your Webserver?
Check both firewall logs when you try to access from the LAN at PiX-1 the webservers behind the PIX-2
If you see any blocked entry could you provide that too?

It is possible we just need some more info, if you are on the LAN@PIX-1 and you do an nslookup for the webservers domain do you get the internal or external ip of the webservers back?
0
graemeboroCommented:
crudmop,

lets say that the network address of PIX 1 is 10.10.10.0 and the network for PIX 2 is 20.20.20.0.

To allow traffic from 1 to 2 you need an acl on the outside interface of PIX 2 which will allow traffic identified as 10.10.10.0 to access PIX 2 so :-

access-list inbound permit ip any 10.10.10.0 20.20.20.0 any (This allows all traffic through, you may want to restrict it to certain protocols, or hosts)

Once you have your access list you can apply it to the outbound interface on your pix.

access-group inbound interface outside.

This is done and now should identifiy traffic from the other network when it arrrives out the outbound interface to be passed into the network.

Hope this helps

Graeme
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
crudmopAuthor Commented:
Alex, that was an idea I had considered as well -

Blo - I can ping the device address on PIX 1, but not the NAT'd external-to-webserver address.  Sorry I have given minimal info, as you can see, my Cisco knowledge is mediocre at best and thought I'd try to help this guy out.  

Graem - thanks!   I will pass that on and let you know what happens, if it works, etc - and I will try to get an excerpt of the running config.
0
crudmopAuthor Commented:
UPDATE - I suggested they set up the ACL as you said - as well as suggested the vpn idea (which I had originally suggested before I posted the question) - their guy says that neither can be done because the PIXs are on the same network and it will not allow that kind of traffic to cross from the same network.  Additionally, he mentioned that the VPN idea wouldn't work because the PIX will not allow a VPN connection to another PIX on the same network.
Is this true?
0
alex_yalaCommented:
No it is not true.

When I test new PIX IOS, I always test it on the same network. I think they are not sure whether the PIX know which path to go to the other PIX.

PIXes absolutely don't care whether the other peer is on the same network or different network.

Anyway, that's the only secured solution I can suggest.

Good Luck.

Alex.
0
crudmopAuthor Commented:
Thanks so much for all of your input - I've done what I can, now, they can make their own decisions :)

Bumping up the points and splitting them - thanks for the quick help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.